+1 312.670.7000

Applying NIST guidelines to improve password security

Tips for Password Generation and Security


When it comes to password generation and security, people often use bad practices, such as passwords their birthday or using passwords across accounts. These practices can compromise the integrity of your passwords and security of the systems and data they’re meant to protect. The National Institute of Standards and Technology (NIST) has published guidelines to incorporate into password practices, ensuring greater security. 

What is NIST?

NIST is a US government agency that develops metrics, measurements, and regulations to bolster the reliability and security of new technologies. Federal agencies are mandated to follow NIST standards when handling sensitive data. 

Though private organizations are not required to meet these standards, NIST’s recommendations are still a valuable rubric to evaluate the security of their systems. Furthermore, because NIST guidelines are internationally recognized, you can foster trust in your organization by adopting them.

NIST recommendations

The last significant update to the NIST’s guidelines was published in 2020 as part of NIST Special Publication 800-63B. The document recommendations regarding passwords can be broken down into the following:

Favor length over complexity

NIST’s current guidelines prioritize password length over intricate character combinations as had been suggested in previous NIST publications. Now, their standards require user-created passwords to be at least eight characters long, while program-generated ones can be six characters long. The maximum length in either case is 64 characters. 

All printable characters are allowed, including spaces, allowing the use of unique phrases. NIST strongly advises against the use of sequential numbers or repeated characters as these are heavily used and easily predicted.

Avoid commonly used passwords

To prevent cyberattacks, companies should actively discourage commonly used, compromised, or repeated passwords. Even strong, self-generated passwords can be risky if not checked against known breaches. Reusing credentials across accounts allows attackers to exploit a single breach for wider access. 

Consider integrating software and tools that notify users when they create weak passwords or when weak passwords are generated. Companies should alert employees if their password appears in a data breach and urge them to create a new one.

Abandon password hints

To enhance security, your organization’s password policy should eliminate password hints and knowledge-based authentication (KBA) questions such as “favorite movie”. Such information can be easily obtained through social engineering tactics or simple surveillance of an employee’s social media accounts. Instead, you should leverage password reset and recovery processes that utilize multifactor authentication (MFA).  

Implement MFA

As referenced above, you can strengthen your online security posture with MFA. This security solution adds a critical second layer of defense, mitigating unauthorized access even if your password is compromised. By requiring an additional verification factor, such as a temporary code sent to your mobile device or biometric verification, MFA makes it more difficult for cybercriminals to hack their way into accounts.

Yearly password changes

NIST now recommends only annual resets to maintain security rather than more frequent password changes. While the multiple-times-per-year practice seems intuitive, it can backfire because hackers can often predict minor variations used in frequent updates. Instead, NIST suggests focusing on creating strong, unique passwords and prioritize immediate changes only if a breach is suspected.

Place limits on password attempts

To thwart brute force attacks, NIST recommends limiting login attempts. Brute force attacks involve hackers systematically guessing password combinations, so by restricting attempts, you make it harder for them to crack your password and gain access.

Speak with one of our experts to learn more about password generation and security to safeguard your critical systems.


Previous Blog: Essential Laptop Features For Work From Anywhere Success

Like this article?

Share on Facebook
Share on Twitter
Share on LinkedIn
Share on Pinterest

Add a comment