Why AD360
 
Solutions
 
Resources
 
 

NIST password guidelines: Bolstering password security

Sachin Raaghav

September 205 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

NIST password guidelines: Bolstering password security

Introduction

Weak, repetitive, and recycled old passwords can be easily exploited by threat actors, leaving organizations vulnerable to data breaches.Thankfully, the National Institute of Standards and Technology (NIST) has released guidelines to help organizations bolster their password security. In this article, we'll go over the basics of the NIST recommendations, and how you can use them to create stronger passwords for your online accounts.

What are the NIST password guidelines?

Since the 2016 release of the NIST's Digital Identity Guidelines, which strongly recommended against the use of static, complex passwords, many organizations have been scrambling to update their password policies. In June 2017, the NIST released an update to the guidelines that included additional recommendations for password security.

The new guidelines recommend that organizations allow users to use passphrases instead of complex passwords and that these passphrases be at least eight characters long. They also recommend that organizations check passwords against a list of known compromised passwords and that they enforce a minimum number of different character types (upper case, lower case, numbers, symbols) in passwords.

In addition, the guidelines recommend that organizations allow users to change their passwords more frequently if they wish to and that organizations provide guidance on how to create strong passwords. Overall, the goal is to make it easier for users to create and remember strong passwords while still providing adequate protection against brute-force attacks and other password-related threats.

The NIST password authentication guidelines

The new NIST guidelines include a number of recommendations for organizations to improve their password policies. Some of the key recommendations are:

  • Use longer passwords or passphrases: The new guidelines recommend using passwords that are at least eight characters long. However, longer passwords or passphrases are even better. For example, a passphrase such as "correct horse battery staple" is much more difficult to guess than a shorter password like "password123."
  • Don't allow common passwords: The NIST guidelines recommend against allowing common passwords, such as "123456" or "password." Attackers often use dictionaries of common passwords when trying to guess user credentials.
  • Use two-factor authentication: The guidelines recommend using two-factor authentication (2FA) whenever possible. 2FA adds an additional layer of security by requiring the user to enter a code from their mobile phone in addition to their password.
  • Don't reuse passwords: The NIST guidelines recommend against reusing passwords across different accounts. If one account is compromised, the attacker will often try the same password on other accounts.
  • Use a password manager: The guidelines recommend using a password manager to generate and store strong passwords. Password managers can also help with other recommendations, such as not reusing passwords and using 2FA.

The NIST guidelines are just that: guidelines. They are not mandatory, but they provide a good starting point for organizations to improve their password policies.

The NIST password storage guidelines

The NIST recently released new guidelines for storing passwords. The goal of these guidelines is to help organizations better protect their passwords and improve password security.

There are a few key things to know about the NIST password guidelines, including:

  • Passwords should be stored using a hashing algorithm.
  • Passwords should be hashed with a cryptographic salt (a random text added to each password instance before its hashing).
  • Passwords should be hashed multiple times.
  • Password policies should be reviewed and updated regularly.
  • Organizations should have a process for managing password changes.

The NIST password guidelines provide a strong foundation for organizations to improve their password security practices. By following these guidelines, organizations can help keep their passwords safe and secure.

Conclusion

As password security becomes more and more important, it's crucial to follow the latest guidelines in order to keep your accounts safe. The NIST's new password guidelines are a great way to do just that, and by following them, you can help ensure that your passwords are as strong as possible. So, what are you waiting for? Start implementing these tips today and rest easy knowing that your accounts are well-protected.