Earlier this year, the National Institute of Standards and Technology (NIST) released new guidelines for creating a strong password. These NIST password recommendations replace previous and outdated ones and are designed to make passwords more secure across every industry. In this post, we’ll go over the updated NIST password guidelines and discuss how you can implement them into your business to keep your data safe from malicious attacks.
Don’t Require Regular Password Resets
One of the most important changes in the new NIST password guidance is that they no longer recommend requiring regular password resets. This practice has been shown to be ineffective — and actually makes passwords less secure over time. A study by Microsoft found that users who were required to reset their passwords frequently were more likely to use weak passwords and reuse them across multiple accounts, the exact outcomes scheduled password rotations are supposed to prevent.
Instead, NIST recommends only forcing a reset when there’s evidence of compromise, such as credentials appearing in a breach database or unusual sign-in activity.
Implement Multi-Factor Authentication
Multi-factor authentication (MFA) is another security measure that the NIST password framework strongly recommends. This involves using more than one method to verify your identity — such as a password and a fingerprint scan, a hardware security key, or a time-based code from an authenticator app. Multi-factor authentication can help protect your account from attackers even if they manage to steal your password.
Why is MFA more secure? Passwords can be guessed, phished, or stolen in a data breach — a fingerprint, hardware key, or rotating code can’t. And even if someone does manage to get your password, they won’t be able to access your account without also passing through the second layer of security.
Screen Your Passwords
The latest NIST password standards also recommend that users screen new passwords against lists of commonly used and previously breached passwords that hackers are known to guess. This can be done with a password manager or a service that checks the strength of your passwords and flags anything that appears in known breach corpora. Services like these can help you create strong passwords that are difficult to guess.
Strong passwords usually include a mix of uppercase and lowercase letters, numbers, and symbols. Under the current NIST password length guidance, longer is better — aim for at least 12 to 15 characters where supported, and allow users to go much longer if they want to use passphrases.
Limit Failed Password Attempts
NIST also recommends limiting the number of failed password attempts before an account is temporarily locked or throttled. Limiting failed attempts helps keep your accounts secure by preventing attackers from gaining access even if they guess your password incorrectly over and over. This protects your account from brute-force attacks — when hackers try every possible combination until they find the right one — and credential-stuffing attacks, where attackers test passwords stolen from other breaches against your login page.
Remove Password Hints and Knowledge-Based Authentication (KBA)
Your organization should update its password policy to stop allowing employees or users to request a password hint. Instead, have users confirm their identity and reset their password using multi-factor authentication or two-factor authentication. The NIST password guidelines also recommend not using knowledge-based questions such as “First pet’s name,” “Your hometown,” or “Favorite movie?” — all of which can be easily uncovered through a social-media search or basic social engineering.
Self-service password reset should be tied to something the user has (a phone, hardware key, or enrolled authenticator app) rather than something a stranger could Google.
Salt and Hash Your Passwords
Both salting and hashing are used to protect stored passwords from being cracked. Salt helps make stored passwords more secure by adding an extra layer of randomness, and hashing keeps the actual password hidden even if the database is stolen.
Salt and hashing are two more practices the NIST password framework requires of any system storing credentials. Salt is a random string of characters that is added to passwords before they are hashed, which makes it computationally infeasible for hackers to reverse the hash and figure out your password. Hashing is a one-way mathematical process that converts a password into a unique string of characters; under current NIST password guidance, that hashing should use a slow, modern algorithm like Argon2, scrypt, or bcrypt — not plain MD5 or SHA-1.
Secure Your Data Using the NIST Password Guidelines
The NIST password guidelines are designed to make passwords more secure — and, just as importantly, to make the password experience less painful for the users who have to live with them. Rather than forcing quarterly resets and complex character requirements that drive people toward sticky notes, the updated approach emphasizes length, breach screening, multi-factor authentication, and sensible lockout policies.
Implementing these NIST password practices alongside other cybersecurity measures — endpoint protection, security awareness training, and regular backups — can keep your accounts safe from hackers and your team productive.
To learn more about the NIST password guidelines and how to further protect your data, contact an IT professional from ThrottleNet today.
To learn more about the NIST guidelines and how to further protect your data, contact an IT professional from Throttlenet today.
