In This Article

NIST Password Guidelines

Natasha Murphy
| Read Time 4 min read| Updated On - December 15, 2022

NIST Password Guidelines

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency in the United States, that produce standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA).

The NIST password guidelines, as you might expect, provide recommendations for how passwords are created, verified, and handled. The guidelines are not enforced, although many companies choose to follow them in order to strengthen their security posture and comply with the relevant data privacy regulations.

Revision 3, the current revision of the NIST password guidelines, was released in 2017 and updated in 2019. Revision 3 introduced a number of changes relating to the strict complexity requirements that were detailed in previous revisions.

To put it simply, when passwords become too complex, users find other ways to inadvertently compromise password security in order to help them to remember their passwords, which is counter-productive. For example, they might start writing their passwords down on post-it notes, or reusing them, with, perhaps, a few alterations, etc.

NIST Password Guidelines

Following NIST password guidelines will help organizations protect themselves against brute force attacks, dictionary attacks, credential stuffing, and more. Below are some of the most notable changes made in the 3rd revision of the NIST password guidelines:

1. Password Length

As mentioned above, the strict password complexity requirements have been removed in revision 3, as they were seen as being counter-productive. Under the new revision, user-created passwords should be at least 8 characters in length, and machine-generated passwords should be at least 6 characters in length. Organizations should also allow for passwords that are as big as 64 characters in length.

2. Password Processing

Organizations should stop truncating passwords, and all passwords should be hashed and salted, with the full password hash stored. Users should be allowed to enter their password at least 10 times before getting locked out.

3. Accepted Characters

All ASCII characters are permissible, including the space character. Unicode characters, such as emojis, are also acceptable. Users should be prevented from using obvious patterns, such as sequential numbers or repeated characters.

4. Commonly Used Words

Users should not use commonly used words in their passwords. Likewise, they should be discouraged from using words and phrases that are context-specific.

5. Breached passwords

Organizations should check passwords against a list of previously breached passwords. There is a service called Have I Been Pwned? which contains a list of 570+ million passwords, which have been used in real-life breaches. When users try to create a password that is on the list, they should be prompted to enter a different password.

6. Password Expiration

According to both NIST and Microsoft, password expiration policies are no longer necessary. It has been suggested that forcing users to periodically change their passwords may actually do more harm than good, as users become more likely to choose predictable passwords as they are easier to remember.

7. Password Hints

Password hints, or what some refer to as Knowledge-based Authentication (KBA), are now discouraged by the NIST guidelines. For example, a password hint such as “What was the name of your first pet?”, could be fairly easy for an attacker to guess, especially if they did some research beforehand.

8. Password Managers

It’s often the case where users use password managers to help them remember their passwords. However, some password fields don’t allow users to paste their passwords. Under the new NIST guidelines, login forms should allow users to paste passwords.

9. Two Factor Authentication (2FA)

When using 2FA, organizations should use an authenticator app, such as Google Authenticator or Okta Verify, as opposed to SMS, as it is no longer seen as a secure method of verification.

If you’d like to see how the Lepide can help you with NIST and password security, schedule a demo with one of our engineers today.

Natasha Murphy
Natasha Murphy

Natasha is a dedicated customer success advocate, helping Lepide customers to get the most out of their solutions.

Popular Blog Posts