NIST password compliance guidelines – What they are and how you can meet them
(Last updated on February 17, 2020)
The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to increase password security and improve the end user experience.
In the comprehensive Digital Identity Guidelines, from NIST, password security is addressed within the chapter titled Memorized Secret Verifiers. A memorized secret verifier is any system that needs to check the validity of a password or PIN. In most organizations, that means Active Directory and supporting business systems.
When it comes to password length, NIST requires that passwords are at least 8 characters long and recommends that passwords can be as long as 64 characters. Longer passwords offer better protection from various password attacks.
Allowing users to choose passphrases helps create longer passwords that are still easy for end users to create and use.
NIST requires federal organizations to check passwords against a list of commonly used or compromised passwords. Potential lists include passwords obtained from a previous breach, dictionary words, repetitive characters and context-specific words such as usernames. Blocking dictionary lists can help keep out the most vulnerable passwords – whether these are on a leaked password list or a list of weak passwords.
The easiest way to check user passwords against a leaked list is with a password blacklist tool. During a password change in Active Directory, Specops Password Policy will reject passwords found in the blacklist. The blacklist is also updated in response to new vulnerabilities.
NIST discourages composition requirements such as a mixture of character types, when setting passwords. While this is not prohibited, the NIST recommendation is to avoid password complexity rules and instead check users’ passwords against known dictionary lists.
Finally, the tide is turning away from short complex passwords to longer passphrases, which offer better protection from attacks and a better user experience. However, some other regulatory bodies still require complexity rules, such as PCI.
NIST discourages regular password expiration (memorized secrets changing arbitrarily) but requires forcing a password change if there is evidence that the authenticator has been compromised. This is because regular password expirations and changes create poor password habits where users tend to fall into the same patterns for creating a new password.
Blocking dictionary lists is great when a user is setting a password for the first time, but what happens if that same password turns up on a leaked list one month later? We recommend continuing to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs and a list is added.
NIST prohibits the use of predefined secret questions (security or challenge questions) when verifying a user for password creation and reset. Your mother’s maiden name, your first pet and the name of your high school are all susceptible to social engineering.
Secret questions can be social engineered easily and many users forget the answers to less common questions. We believe in more secure ways to identify users such as authenticating them on popular authentication apps from Google and Microsoft, or fingerprint scanning on a mobile phone.
NIST updated their Digital Identity Guidelines in June 2017 to follow the latest best practices in identity proofing and authentication of users interacting with government IT systems, but many non-federal organizations also choose to follow the guidelines.
Claimant – the party being authenticated
Verifiers – the party verifying the claimant
Memorized secret – password and PIN, something you know
Knowledge-based verification – secret or security questions