NIST Password Guidelines Requirements Best Practices

NIST Password Guidelines Requirements for 2022 Best Practices. In this guide, we will introduce what is NIST password then we will look at the NIST Password Guidelines and best practices for 2022.

In this digital era where cyber attacks are on the hike, securing your digital identity has become crucial. Employees and web users must create strong passwords that will safeguard their accounts and sensitive data from cyber attackers. 

The NIST (National Institute of Standards and Technology) frequently releases password guidelines for federal agencies to employ best practices when creating and implementing passwords. This is to ensure there’s no unauthorized access to their account. 

Shall we start with NIST Password Guidelines Requirements for 2022 Best Practices?

What is NIST Password and Why is it Important?

Creating and employing NIST passwords will help organizations meet the NIST regulations dictated to secure the digital identity of users. These passwords are easy to remember, and use but difficult to crack by intruders. Following the NIST password standards is the knowing  of the password security of users in federal agencies. However, even commercial businesses should follow these guidelines when setting passwords to secure their confidential information and accounts. 

When changing a password, users must always consider following NIST’s latest recommendations:

  • Compare the set password against the list of breached passwords (commonly used passwords).
  • Do NOT use repetitive, similar, or incremental passwords.
  • Block passwords present in password dictionaries.
  • Give precedence to the length of passwords.
  • Do not set passwords that are context specific.

Let’s continue reading NIST Password Guidelines Requirements for 2022 Best Practices.

NIST Password Guidelines for 2022

Latest NIST Password Guideline Standards clarify in the NIST Special Publication 800-63B Digital Identity Guidelines. In return this ensures better password lifecycle management. In addition, these standards mainly focus on the quality of the password and layout suggestions on how to: create, employ, store, authenticate and upgrade passwords in the long run. 

Here’s a summary of the NIST Password Guidelines for 2022:

1. Password Length is much more important than Complex passwords

First of all NIST gives precedence to the length of the password, than its complexity. So, complex passwords comprising upper case/lower case letters, numbers, special characters, etc. are considered to be strong and secure. However, practically speaking, these passwords may end up being weak in reality. Most people set predictable passwords in this circumstance, say for example, Username123. 

To avoid this, NICT recommends using long passwords or passphrases up to 64 characters at a maximum to strengthen them. Longer passwords tend to be much more secure than complex passwords. At a minimum, NIST requires user created passwords to be 8 characters in length.

2. Avoid Frequent Password Resets

Forcing employees or users to regularly reset passwords can make the whole process daunting. Hence why, most people are not very creative when setting passwords Result is, they end up creating passwords that are very similar to the previous one. These patterns are predictable and malicious intruders can guess easily. 

Employees may set up weak or common passwords, if password resets are obligate repeatedly. Basically, password resets should only be employed, if there’s suspicion of a arbitrate password.

3. Screen Passwords against the list of Breached Passwords

Newly created passwords must be screened to make sure they are not compromised or very commonly used. Even, if one sets a complex password, it can still expose your account to cyber attacks. More so, if any other individual knows it. 

Besides, screening passwords will prevent users from setting dictionary words, common passphrases, consecutive numbers, or letters as passwords. Furthermore, it also ensures the newly created password aren’t available in the list of breached passwords. 

Often, hackers obtain passwords from breached password databases or lists from previous attacks. Chances are, that the same passwords are created by multiple people due to the human tendency of thinking alike. If not this, many people use a single password for multiple websites and services, be it business or personal. This saves them from the hassle of remembering multiple passwords. 

Today, breached password lists and databases drive password spraying and brute force attacks to a great extent. Importantly, not preventing the creation of common or repetitive passwords is one of the reasons that leads to such attacks. 

Businesses must warn employees or users when they set a password that is available in the breached passwords list.

4. Allow users to Copy Paste Passwords

Basically it is quite annoying when the users cannot copy and paste passwords in input fields. Especially, if it is a complex one. This results in users creating short and weak passwords. Concurrently this also decelerates the process of account login or sign up. It also increases the time required for multi factor authentication.

5. ‘Show Password’ option

If users have set up complex passwords, having an option to ‘show password’ will prevent mistakes. This way, any typos made when entering the password can be easily corrected. Benefit is without having to re enter everything. Not allowing the ‘show password’ option again discourages creating longer, complex passwords.

6. Block passwords present in password dictionaries

Restrict end users from setting a password that is included in an organization’s password dictionary. These dictionaries can be unique to each business organization. 

Hackers often try password combinations by using common components linked to a specific business niche. This may include their brand name, product name, best sellers, or other guessable elements. 

Housing all of the guessable passwords in a custom password dictionary will help organizations restrict or block the use of these passwords. This, in turn, considerably saves the organization from intruders trying to sniff passwords

7. Restrict the use of incremental or repetitive characters in passwords

Humans tend to think and behave alike most of the time. By the same token, it is very common for end users to use consecutive or incremental characters in their passwords such as “1234”, “abcd” or “aaaaaaa”, etc. This happens, when organizations enforce frequent password expiration thresholds. 

Prevent the use of incremental or repetitive characters during the password change process to ensure passwords aren’t compromised.

8. Do not use context specific words as passwords

Using usernames, names of the service, derivatives, or any other context specific words as passwords should be strictly avoided. Blocking the use of context specific words will prevent hackers from guessing your passwords. 

9. Restrict the number of attempts for Failed Passwords

One of the topmost culprits of successful brute force attacks is not having any restriction for the number of failed password attempts. Federal agencies and businesses must execute account lockout after 3 or 5 failed login attempts. This will make it harder for cyber attackers to guess passwords and break into your accounts. 

Now, cyber attacks can be restricted through the above method. However, offline attacks do not restrict attackers from trying to access databases comprising hash passwords. To break into your files and databases, hackers can easily take millions of guesses per second with no limitations whatsoever.

Longer passwords and passphrases can prevent these incidents. Passphrases are easy to remember and a great way to strengthen passwords. 

10. Employ 2FA (Two factor Authentication)

The 2FA (two factor authentication) is one of the popular ways to secure and authorize your account access. It involves entering a password, along with an additional authorization method such as a security code sent to your email or mobile number. This makes it difficult for hackers to access your accounts. 

11. Password Hash Salting

Salting passwords with a minimum of 32 bit data units is one of the key requisites to NIST password standards. After this, passwords must be hashed with a one way KDF (Key Derivation Function) to make them stronger.

Thank you for reading NIST Password Guidelines Requirements for 2022 Best Practices. We shall conclude. 

Also Read

Check if your users meet your password requirements using our Active Directory reporting tool and Office 365 password reporting using InfraSOS

NIST Password Guidelines Requirements for 2022 Best Practices Conclusion

This brings us to the end of our summary of NIST Password Guidelines Standards for 2022. All the above mentioned latest NIST recommendations are the best security practices to secure your passwords and account access. 

Federal agencies must follow NIST standards when creating and implementing passwords and keep an eye on the latest NIST updates. Furthermore, even other businesses should follow NIST password standards to secure their IT integrity.

Take a look at more security and cyber security content in our blog over here

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x