NIST password guidelines
NIST password guidelines are regulations laid down by the National Institute of Standards and Technology (NIST) to strengthen passwords. Since 2017, NIST password standards have been revised almost every year, taking insights from password cracking experts, vulnerable password practices, hacker behavior, and previous password breaches. This makes them the most influential, recommended standard for password creation. A NIST-compliant password is tough to crack yet simple to use.
What are the latest NIST password guidelines
- New password creation
- Password authentication
- Passoword storage
- Password length is more important than password complexity: Contrary to conventional thinking, longer passwords are harder to decrypt than complex ones if stolen. The NIST-recommended password length is a minimum of eight characters.
- Periodic password resets: NIST recommends password resets only when it is suspected that a password has been compromised, so that users do not create passwords that are identical to their old ones, which could happen if prompted to change passwords regularly.
- Cross-verify new passwords with lists of commonly used and compromised passwords: All new passwords must be screened to ensure that they are not commonly used passwords, dictionary words, sequential numbers or letters, or compromised passwords.
- Enable show password while typing: Displaying the password to users while they are typing makes them more likely to type it correctly on the first attempt, thereby eliminating unnecessary account lockouts and password resets.
- Allow the pasting of passwords: Preventing users from pasting text in the password field can slow down account creation and logging in, thus encouraging users to set weak passwords.
- Do not use password hints: Using password hints or asking security questions to help users remember their passwords is strongly not recommended by NIST as they can serve as prompts for even attackers to guess the passwords.
- Limit the number of failed password attempts before account lockout: By limiting the number of failed password attempts, brute-force attacks can be curbed.
- Use multi-factor authentication (MFA): Using other factors of authentication besides passwords can thwart phishing attacks by making the account inaccessible even if the password has been compromised.
- Secure the databases: Access to databases containing users' passwords should be limited to essential personnel only so that hacker activities are restricted.
- Salt and hash passwords: According to NIST standards, passwords should be salted with at least 32 bits of data and hashed with a one-way key derivation function (like PBKDF2 or Balloon).
How ADSelfService Plus helps comply with NIST guidelines and password security
ADSelfService Plus offers Password Policy Enforcer, Access Policy, and MFA features to help your organization meet NIST password requirements
Password Policy Enforcer
Password Policy Enforcer allows you to enforce a custom password policy that seamlessly integrates with the built-in AD password policies, providing more granular control than the latter. ADSelfService Plus' password policies can be set to enforce the following requirements:
- Restrict characters
- Restrict repetition
- Restrict pattern
These settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.
These settings help restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.
The settings under this tab help restrict custom dictionary words, patterns, and palindromes that might be commonly used.
These rules let you set both a minimum and maximum number of characters for the password.
ADSelfService Plus allows you to define any number of self-service policies in a given domain. These policies can be configured as shown below so that your organization meets NIST guidelines for passwords.
- Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.
- Restrict the number of times users can reset their passwords using self-service.
- Allow or prevent copy and paste in password fields.
- Enforce AD password history settings during password resets to restrict the repetition of passwords.
- Enable Password Strength Analyzer to help users with password creation by displaying the strength of the password.
- Provide CAPTCHA code verification for user logins to provide added security.
ADSelfService Plus offers MFA support for application access, both cloud-based and on-premises, as well as for endpoints. It helps you reduce surface attacks and protects your business by mandating a higher level of identity assurance.
Reasons why your organization needs ADSelfService Plus' MFA support:
- Authenticates users by additional factors of authentication apart from their default username and password.
- Offers around 20 authenticators to choose from, including biometrics, Duo Security, TOTPs, YubiKey, and smart cards.
- Allows the configuration of workflows to customize authenticators for users of different OUs, domains, or groups.
- Secures both local and remote login attempts on servers and workstations.
- Tackles all credential-based cyberattacks, including brute-force, password spray, and dictionary attacks.
- Helps your organization meet NIST SP 800-63B, NYCRR, FFIEC, GDPR, and HIPAA compliance mandates.
Augment your business's cyberdefense with ADSelfService Plus, a one-size-fits-all solution that helps your employees adopt best practices for passwords.
Make your organization NIST compliant
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Some other benefits of ADSelfService Plus - Self Service Reset Password Management
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.