NIST Password Guidelines

NIST Password Guidelines

Following NIST password guidelines will help organizations protect themselves against brute force attacks, dictionary attacks, credential stuffing, and more. Below are some of the most notable changes made in the 3rd revision of the NIST password guidelines:

1. Password Length

As mentioned above, the strict password complexity requirements have been removed in revision 3, as they were seen as being counter-productive. Under the new revision, user-created passwords should be at least 8 characters in length, and machine-generated passwords should be at least 6 characters in length. Organizations should also allow for passwords that are as big as 64 characters in length.

2. Password Processing

Organizations should stop truncating passwords, and all passwords should be hashed and salted, with the full password hash stored. Users should be allowed to enter their password at least 10 times before getting locked out.

3. Accepted Characters

All ASCII characters are permissible, including the space character. Unicode characters, such as emojis, are also acceptable. Users should be prevented from using obvious patterns, such as sequential numbers or repeated characters.

4. Commonly Used Words

Users should not use commonly used words in their passwords. Likewise, they should be discouraged from using words and phrases that are context-specific.

5. Breached passwords

Organizations should check passwords against a list of previously breached passwords. There is a service called Have I Been Pwned? which contains a list of 570+ million passwords, which have been used in real-life breaches. When users try to create a password that is on the list, they should be prompted to enter a different password.

6. Password Expiration

According to both NIST and Microsoft, password expiration policies are no longer necessary. It has been suggested that forcing users to periodically change their passwords may actually do more harm than good, as users become more likely to choose predictable passwords as they are easier to remember.

7. Password Hints

Password hints, or what some refer to as Knowledge-based Authentication (KBA), are now discouraged by the NIST guidelines. For example, a password hint such as “What was the name of your first pet?”, could be fairly easy for an attacker to guess, especially if they did some research beforehand.

8. Password Managers

It’s often the case where users use password managers to help them remember their passwords. However, some password fields don’t allow users to paste their passwords. Under the new NIST guidelines, login forms should allow users to paste passwords.

9. Two Factor Authentication (2FA)

When using 2FA, organizations should use an authenticator app, such as Google Authenticator or Okta Verify, as opposed to SMS, as it is no longer seen as a secure method of verification.

If you’d like to see how the Lepide can help you with NIST and password security, schedule a demo with one of our engineers today.