NIST Password Guidelines

The National Institute of Standards and Technology (NIST) helps organizations implement best practices across their operations, including cybersecurity. In particular, NIST password guidelines outlines are considered the gold standard for solid password creation and management policies.

This article explains the current NIST password guidelines, detailed in Special Publication 800-63B, "Digital Identity Guidelines," and how organizations can implement them to strengthen their cybersecurity strategy.

The Evolution of NIST Password Guidelines

The first version of the NIST 800-63 password guidelines was released in 2014. The current standard is version 3, released in 2019 and updated in 2020. A fourth revision (NIST password guidelines 2024) is in the works to respond to the evolving attacks landscape.

A key reason NIST has changed its password guidelines over time is its observation of real-world user behavior. Specifically, while stringent password rules would seem to enhance security, they can overwhelm users, leading them to adopt practices that actually hurt security.

For example, requiring users to pick highly complex passwords and change them frequently can do more harm than good - users eager to avoid the frustration of account lockouts may resort to writing their passwords down and keeping them right next to their desks. Accordingly, NIST now seeks to facilitate more user-friendly best practices that improve overall security.

Key Terminology

The sections of the NIST special publication are presented as informative, normative or both. Informative material is intended to help the reader understand concepts. Normative content provides recommendations for a company to use when creating password policies. Pay close attention to the following key terms:

• Shall and shall not - Indicate actions that NIST requires organizations to take (or not take)
• Should and should not -Indicate that NIST recommends (or discourages) an action
• May and may not - Indicate that an action is permissible (or impermissible)
• Can and cannot - Indicate a possibility or capability (or lack thereof), whether physical, causal or material

NIST Password Guidelines

The core components of the NIST password recommendations can be grouped into two areas:

• Password composition, which includes length and complexity requirements for secure passwords.
• Password management, which covers topics like password expiration, lockout policies and the use of password managers.

Password Composition

One key difference between older NIST password guidelines and the current guidance is the prioritization of password length over complexity. The reason is simple: While complexity requirements do make passwords harder for hackers to guess or crack, they often cause users to resort to risky practices like writing their passwords down. Length requirements achieve many of the security benefits without the downside, since users can pick strong passphrases that are easy to remember and type.

Accordingly, NIST password guidelines 2023 include the following length and complexity requirements:

• Minimum length - User-generated passwords must be at least 8 characters long and auto-created passwords must be at least 6. Previously, the minimum length for both was 6.
• Maximum length - Both user-generated and auto-generated passwords must have a maximum length of 64 characters.
• Password complexity - Previous NIST guidelines required passwords to include special characters and banned certain characters, such as spaces and emojis. Now NIST recommends having no complexity requirements but making any American Standard Code for Information Interchange (ASCII) character permissible.

Password Management

The current NIST publication also offers revised guidance on password security management. The key revisions concern the following:

• Password changes - Previously, NIST password expiration requirements forced users to change their password periodically. However, in light of subsequent research, NIST now recommends requiring users to change their passwords only when there is a specific reason, such as account compromise.
• Password history-Organizations are encouraged to check a user's proposed new password against their old ones to ensure sufficient originality.
• Password checking - NIST requires organizations to check proposed new passwords against a blacklist of prohibited passwords. These password lists may include credentials compromised in previous breaches, dictionary words, passwords containing repetitive or consecutive characters like "12345" or "aaaa", and context-specific words like the name of the user or the business.
• Account lockouts - NIST 800-63B recommends that accounts be locked after no fewer than 10 failed log-in attempts.
• Password storage - NIST requires the use of password hashing and salting to make password-guessing attacks prohibitively costly for adversaries.
• Password hints - Current NIST password guidelines discourage organizations from allowing password hints (e.g., "What year were you born?") because they can make it easier for hackers to guess a user's password.

Best Practices for Implementing NIST Password Guidance

The NIST guidelines offer valuable insight into keeping IT systems, services and data safe from cyber threats. Here are some key best practices to follow:

• Be practical. As we have seen, overly stringent password requirements are often counterproductive. Moreover, they may not improve security as much as intended. For example, NIST notes that password complexity and length requirements do not help defend against keystroke logging, phishing and social engineering attacks.
• Offer a password manager. NIST guidelines encourage organizations to allow users to use password managers because these tools make it easy for users to choose long and complex passwords without worrying about forgetting them and getting locked out. With a password manager, you can confidently adopt the length and complexity requirements that work best for your organization.
• Improve authentication - Most organizations still use passwords as a primary authentication factor. NIST reminds organizations that knowledge-based authentication (prompting a user to answer questions) is not an acceptable method of authentication. In addition, biometrics like fingerprints are not by themselves a sufficient form of authentication, though they can be used in multifactor authentication. NIST guidelines discourage using SMS messages in multifactor authentication.
• Take an in-depth approach to security. Strong password policies are important for every organization, but they are only one component of a comprehensive cybersecurity strategy. Be sure to implement other core security best practices, such as rigorously enforcing the principle of least privilege to tightly control access to sensitive data and systems.

How Netwrix Can Help

Choosing the right tools can empower you to achieve compliance with NIST password guidelines faster and more effectively. To help, Netwrix offers a robust password management solution. Key products include:

• Netwrix Password Policy Enforcer, which makes it easy to create powerful yet flexible password policies while delivering a positive experience for users.
• Netwrix GroupID, which empowers users to reset their own passwords and unlock their accounts, slashing helpdesk costs and user frustration.
• Netwrix Password Secure, which enables users to securely manage their passwords and administrators to manage privileged access and audit password usage.

Conclusion

The NIST guidelines are the gold standard for password composition and password management policies that protect sensitive systems and data. Key changes from older guidance include emphasizing length over complexity and not requiring regular password rotation.

FAQ

What are the NIST password policy guidelines?

NIST 800-63B, "Digital Identity Guidelines," offers recommendations for password composition and password management. Current NIST guidance includes the following:

• Favor length over complexity.
• Require user-generated passwords to be 8-64 characters long and auto-generated passwords to be 6-64 characters long.
• Permit the use of all ASCII characters, including spaces and emojis.
• Check the candidate's new passwords against a list of weak and compromised passwords.
• Disallow password hints.

What is the NIST 800-63 password guideline?

The NIST 800-63B password guidelines, entitled "Digital Identity Guidelines," serve as a framework for helping organizations implement best practices for passwords.

Does NIST recommend password expiration?

No, NIST no longer recommends requiring users to regularly change their passwords, since password expiration policies often cause users to engage in insecure practices like writing down their passwords. Instead, organizations should require a password change only when there is a good reason, such as account compromise.

What are the password guidelines for NIST 800-171?

NIST 800-171 password guidelines are detailed in NIST Special Publication 800-171 Revision 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."

What are the password standards for 2024?

The NIST password guidelines lay out standards for a wide range of password-related applications, including but not limited to:

• The removal of knowledge-based authentication
• Acceptance of characters such as emojis or the space bar
• Acceptance of password managers
• Removing password expiration dates and hints
• Favoring length over complexity
• Establishing minimum and maximum lengths for auto- and user-generated passwords

How long should passwords be in 2024?

The NIST password guidelines state that user generated passwords should be eight to 64 characters long, while auto-generated passwords should be six to 64 characters long.