NIST password guidelines: Full guide to NIST password compliance

Many look to the National Institute of Standards and Technology (NIST) guidelines as the gold standard when it comes to cybersecurity best practices. But as you’ve likely heard, NIST has updated its password guidelines in the latest draft of their well-known SP 800-63B policy document. This is in an attempt to provide more protections against cyberattacks focused on passwords – because as hackers up their game, the rest of us need to as well. We’ll take a look at the new recommendations and what these mean for organizations trying to align their cybersecurity practices.

Darren James, Senior Product Manager at Specops Software, had this to say about the new guidelines: “The recently released draft of updates from the National Institute of Standards and Technology (NIST) marks a significant stride in modernizing password management recommendations for both organizations and individuals. We commend NIST for these progressive updates and encourage organizations to adopt these new guidelines to enhance their cybersecurity posture.”

What are the new NIST recommendations?

You might be new to NIST entirely, or you may have been following their previous recommendations for some years now. There’s still plenty of sensible advice in the older guidelines (2022-2023 NIST 800-63b Password Guidelines and Best Practices, NIST 800-53 Guidelines and Requirements) but this blog will be focusing on the most recent set of advice from NIST. Because as you’ll see, there are some significant changes.

If you’ve been keeping up with password policy best practices over the past few decades now, the older standards and recommendations have not always been the most user friendly. The new standards set out to change this with new policies that provide a more user-centric and friendly approach to strong security. They also make some recommendations regarding old password policy configurations that are no longer recommended. We’ve pulled out the six key takeaways from the new NIST guidelines on password management that your organization should be paying attention to.

NIST cybersecurity framework: Six key password takeaways

1. Length over complexity

Most organizations have had the same password policies for years. They often require a combination of uppercase letters, numbers, and symbols in an effort to add complexity to end users’ passwords. However, NIST now encourages organizations to focus on length over complexity. Why? This might seem counterintuitive to move away from complexity, but it’s down to human predictability. End users often follow the same pattern, starting with a capital letter and ending with a number or special character, or using common character swaps like ‘a’ -> ‘@’. So instead of getting random complex passwords, we often end up with slight variations of weak passwords designed to bypass complexity requirements:

  • admin -> Admin123!
  • password -> P@ssword1
  • welcome -> Welcome2?

Hackers take advantage of this predictability with hybrid cracking tools that try these popular combinations out first, reducing cracking time. So instead of requiring complexity, NIST recommends user be able to create longer passphrases or passwords that are easier to remember but still difficult for attackers to guess. A good passphrase can be as simple as a string of unrelated words, such as “sunset”, “stopwatch”, and “fence” to make a single long passphrase. Which would be easier for an end user to remember from the below? The 25-character passphrase or the 8-character complex password:

  • sunset6-stopwatch-fence$
  • P3*tnL@7

For more help with passphrases, we have a full guide to helping end users set up passphrases here.

2. Don’t expire passwords too frequently

Frequent password changes were once considered a cornerstone of good security. However, NIST now advises against mandatory password expiration unless there is evidence of a security breach. One reason is forcing people to change their passwords too often can lead to poor password practices, where end users will often just change a few characters or use repeating patterns of characters. At Specops, we don’t recommend removing password expiries entirely due to risks around password reuse. But there’s logic in setting longer expiries when end users have strong passwords and you have a tool for scanning for compromised passwords.

3. Filter common and compromised passwords

One of the new suggestions in the NIST draft for their password best practices is that organizations compare the passwords users attempt to set against a list of common breached passwords. These password lists will have commonly compromised passwords from previous breaches and other undesirable passwords that are either weak or easy to guess. Users may not realize they are reusing a password that has already been exposed in breaches, making them vulnerable to attacks. Hackers use these lists to speed up their cracking attempts – so it makes sense for organizations to use them in defense too.

Interested to learn how many of your current end users are using a compromised password right now? You can find out with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor. Specops Password Auditor is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here.

4. Allow users to set long passwords

As outlined in the first takeaway, this latest revision from NIST is saying that length is the most important password security measure. This is backed up by Specops research into password length best practices too. However, this only works if you allow users to create long passphrases in the first place. The latest guidelines suggest allowing users to create passwords or passphrases up to 64 characters long (even if the average user is unlikely to need to reach this limit). Longer passwords are much harder to crack, but keep in mind that even long, unique passwords aren’t immune to compromise.

5. Use multi-factor authentication (MFA)

This might seem obvious by now, but MFA is still far from ubiquitous. NIST strongly recommends MFA to add an extra layer of protection to the passwords and thinks organizations should no longer view MFA as optional. Microsoft have found that 99.9% of compromised accounts didn’t have MFA enabled – so it should really be a required aspect of overall account security. Implementing MFA is simply a must for organizations looking to bolster their security posture in line with NIST’s latest guidance.

6. Password hints and knowledge-based recovery no longer recommended

In the latest guidance, NIST recommends that organizations move away from traditional password recovery mechanisms. This includes mechanisms like password hints and knowledge-based security questions that aren’t considered to be secure. Again, this is down to predictable human behavior. End users often choose answers based on information that can be easily discovered from social media and other publicly available sources.

Instead, NIST recommends moving away from these types of questions in favor of more secure recovery options. These may include resetting a password with a link sent via email or using MFA to verify the user’s identity during password recovery. With self-service password reset solutions like Specops uReset, end users can even carry this out on their own.

Checklist for aligning with NIST’s new password guidance

Updating a password strategy may not be an overnight process for most organizations. However, there are several steps you can keep in mind while working towards meeting NIST guidelines:

  1. Update internal password policies: Organizations will want to make sure their password policies include the latest NIST’s recommendations, such as prioritizing length over complexity requirements and adjusting password expiration timings.
  2. Use password filtering lists: Organizations will want to start looking at tools that allow using password filtering lists to prevent the use of well-known compromised passwords and commonly used passwords.
  3. Move towards passphrases: End users likely need to be educated on the use of passphrases and taught the benefits of longer passwords. Use good examples to show how longer passphrases can be more memorable than short complex passwords.
  4. Multi-factor authentication: Make MFA mandatory for all important systems and sensitive data. MFA solutions will provide an additional layer of defense against a cyberattack.
  5. Move away from password hints and knowledge-based questions: Use secure recovery methods and get rid of weak password reset processes that relay on information that could be easily guessed by hackers.
  6. Employee cybersecurity training: Update end users on why NIST guidelines are worth following and how it will help keep everyone safer from cyber-attacks.

How third-party tools support the new NIST recommendations

Organizations may find it challenging to implement the new NIST password security recommendations if they don’t have the right tools. The default Active Directory password policies used only allows a few basic password policy options out of the box and doesn’t allow more advanced password policy features like password filter lists and protection against incremental passwords.

Specops Password Policy helps organizations with the tools needed to implement NIST’s latest recommendations through advanced features and flexible policy controls. Here’s how Specops Password Policy can support your efforts to meet NIST guidelines:

1. Continuously scan for breached passwords

Specops Password Policy integrates with dynamic password filtering, automatically blocking passwords that have appeared in known breaches. This aligns with NIST’s recommendation to screen passwords against compromised lists, enhancing security by preventing the use of weak or vulnerable passwords. Specops Password Policy also has a very effective Breached Password Protection feature that continuously checks your Active Directory against our database of more than four billion unique compromised passwords.

Graphic showing how Specops’ continuous scan feature works
How Specops Breached Password Protection works

2. Passphrase support

With Specops Password Policy, admins can configure password policies that give importance to length over complexity. You can create custom rules that encourage longer passphrases along with complexity requirements of your choosing.

Screen showing Specops passphrase support
Specops Password Policy: Passphrase support

3. Forced expiration

With Specops Password Policy you can remove forced password expiration triggers or create longer gaps between expirations. You can also set up length-based ageing, where users are ‘rewarded’ with a longer time to their next expiration when they create long, secure, passphrases. Whereas shorter, less secure passwords require changing more frequently.

4. Support for Multi-Factor Authentication (MFA)

Specops integrates with a range of multi-factor authentication solutions. These add an extra layer of security to user logins and greatly increase the security of accounts. Crucially, MFA is now viewed by NIST as a requirement instead of a “nice to have.”

5. Secure password recovery

Specops Password Policy offers secure and NIST-conform password reset options that make use of multi-factor authentication to make sure a user’s identity is verified before a password can be reset which helps eliminate the risks associated with traditional recovery methods. Specops Password Policy can help organizations protect the password recovery process from attack.

Meet NIST guidelines with Specops Password Policy

NIST is a very well-respected cybersecurity standard that many organizations use to help bolster their defenses against the threat of cyberattacks. The latest guidance from the NIST 800-63B standard helps to shift away from password policy configurations that contain outdated practices like relying on complexity requirements, password expiration, and insecure recovery methods.

The new NIST updated guidelines provide a more user-friendly and secure approach to password management that helps encourage users to create more lengthy passwords that are easier to remember, more secure, and protected by MFA. Adopting these latest guidelines and using tools like Specops Password Policy could drastically improve your password security and help protect against many different kinds of password attacks.

Need help bringing your organization in line with the new NIST guidelines? Reach out to discuss how Specops Password Policy could fit with your organization.

FAQs

NIST stands for the National Institute of Standards and Technology. It’s part of the U.S. Department of Commerce and is one of the nation’s oldest physical science laboratories. They conduct research and provide standards, guidelines, and tools across a wide range of fields, from cybersecurity to manufacturing to health care.

For the most up-to-date information, it’s always a good idea to check the NIST website directly, as they frequently update their guidelines and frameworks. For password-related info, this article has you covered.

Complying with NIST guidelines can be challenging, but the level of difficulty often depends on the specific guidelines you’re trying to follow and the context of your organization. It’s also a valuable process for enhancing cybersecurity. Breaking down the guidelines into manageable steps and prioritizing based on risk can make the process easier.

(Last updated on November 1, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • NIST MFA guidelines

    End-user passwords are often the weakest link in IT security, providing the path of least resistance for an attacker looking to penetrate business systems. Users commonly choose easy to remember, and consequently, easy to compromise passwords. In IBM’s Cost of a Data Breach 2020 report analyzing 524 breached organizations, one out of five suffered a…

    Read More
  • NIST Password Reset Guidelines

    Passwords are necessary for authentication to different types of technology systems used in businesses today. Yet, they are a dangerous form of information from a security perspective. To strengthen password security, organizations want to take note of password best practices noted by security organizations. The National Institute of Standards and Technology (NIST) has long provided…

    Read More
  • Press Release: Specops enables organizations to comply with password requirements from NIST and NCSC

    Specops Software announced today the release of Specops Password Policy 6.7, which provides customers with a compromised password list to comply with requirements from the National Institute of Standards and Technology (NIST) and National Centre of Cyber Security (NCSC). In the latest version of Specops Password Policy, it is possible to use a password dictionary…

    Read More