NIST password standards and requirements
The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies. Through its Special Publication (SP) 800-series, NIST helps organizations meet regulatory compliance requirements such as HIPAA, and SOX.
The recent update to the NIST password standards (SP) 800-63-3 flips the script on widely accepted password policies, challenging its effectiveness altogether. The new framework is all about simplifying password management for users by leaving out overly complex security requirements.
What are the NIST password requirements?
- Set an 8-character minimum length.
- Change passwords only if there is evidence of compromise.
- Screen new passwords against a list of known compromised passwords.
- Skip password hints and knowledge-based security questions.
- Limit the number of failed authentication attempts.
What are the NIST password recommendations?
- Set the maximum password length to at least 64 characters.
- Skip character composition rules as they are an unnecessary burden for end-users.
- Allow copy and paste functionality in password fields to facilitate the use of password managers.
- Allow the use of all printable ASCII characters as well as all UNICODE characters (including emojis).
NIST standards for compromised passwords
Today’s credential-based attacks prefer password lists over the brute-force method. Thanks to our tendency to reuse passwords (more than 44 million Microsoft account holders use recycled passwords), hackers have access to an endless collection of username and password combinations. Credential duplication increases their chances of gaining access to additional accounts, and exposing more data.
A password list (password deny list, password dictionary, etc.) contains values known to be commonly-used, expected, or compromised. Organizations can use a password list (the same files available to hackers) to block vulnerable passwords in their organization. According to NIST, a password list can include:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
For most organizations, the Windows domain password is the main password for users for both on-premises and SaaS services through single sign-on. Needless to say, implementing a banned password list with domain password policy settings is not currently possible (unless you are using a third-party tool like Specops Password Policy).
If you are not using a third-party tool to perform automatic password checks as users change their passwords, you can use our freeware utility (Specops Password Auditor) to screen user account passwords against a list of vulnerable passwords from multiple data breach leaks. Specops Password Auditor analyzes your domain password policies and fine-grained password policies. The result is an an overview of how secure your passwords are against password lists, and the NIST requirements.
Click here for a recent expert review on Specops Password Auditor.
Alternatively, you can set up your Active Directory to check for leaked passwords against an external password list, such as Have I Been Pwned (HIBP). Of course, as a static downloadable list, it doesn’t help with continuous protection.
Frequent expirations coupled with complexity requirements annoy users, leading to poor password decisions. Not only do they result in users creating hacker-friendly passwords, but they can also put a strain on the helpdesk. Instead of forcing users to create passwords they can’t remember, NIST wants administrators to focus on blocking weak or compromised passwords. With Specops Password Policy, you not only get a more comprehensive and up-to-date list of leaked passwords (over 4 billion and counting), you get a more secure way to continuously check your Active Directory user passwords against a NIST-compliant password list. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords. Specops Password Policy makes it easy to keep out vulnerable passwords, and comply with the latest NIST password standards.
(Last updated on February 23, 2024)