One of the six core functions of the NIST Cybersecurity Framework 2.0 requires organizations to establish strong access control policies and procedures, including passwords. NIST recently updated its password standards to improve organizational cybersecurity against modern threats. This guide explains the new NIST password guidelines, shares user authentication best practices, and helps you overcome common challenges to adoption.
What Are NIST Password Guidelines and What Do They Require?
NIST Special Publication 800-63-4 and SP 800-63B rev. 4 cover digital identity guidelines, authentication practices, and password recommendations.
Enforce a Minimum Password Length
Passwords must have at least eight characters, and the recommended length is 15 characters. Visual indicators for password strength, such as meters labeled “weak” or “strong”, encourage users to safeguard their accounts.
Support Longer Passphrases
Your software should support passphrases of up to 64 characters. All printable ASCII characters should be allowed, including spaces.
Passphrases are longer authentication secrets that often use several words. Here are a few examples:
- Rabbit Banana 12 Axel F Tummy
- Pilot_star_pancakes & Quest_xylephone_donkey
- ThrowViewDanceKissWatchCatchBuy
Instead of discouraging users from choosing this type of password, organizations should encourage them to have longer passwords.
Allow Password Managers With MFA
Some organizations prohibit password managers for secure credentials, thinking that these applications compromise security. In reality, memorizing passwords presents far more dangers. It’s more likely for employees to choose short, weak passwords this way.
Password managers give employees a secure vault to keep passwords on hand. These applications can be secured with a PIN code for extra protection. An organization-wide password manager encourages compliance at every level.
Get Rid of Outdated Password Habits
One of the biggest changes for NIST SP 800 compliance is the elimination of certain guidelines from the previous version. Now, NIST says these habits weaken your cybersecurity:
- Frequent password resets: Requiring employees to change passcodes every 30, 60, or 90 days usually leads to weak passwords.
- Special characters: Employees can use numbers or special characters (“&” or “<,” etc.) if they want, but you shouldn’t require these characters.
- Mixture of uppercase and lowercase letters: Forcing users to combine uppercase, lowercase, numbers, and other characters in passwords also goes against NIST’s new guidelines.
Interestingly, NIST 800-63B frequently uses the words “SHALL” and “SHALL NOT” instead of “SHOULD” or “SHOULD NOT,” which means following through is obligatory, not just a good suggestion.
Change and Destroy Compromised Passwords Immediately
There are a few situations when you must force employees to change a password under NIST password guidelines. Annual password resets are reasonable, and they limit the vulnerability of your system to disgruntled employees or minor data breaches.
You should also require a password change if the employee’s account is definitely or possibly compromised. For example, if the user’s phone is stolen with their password manager, it’s smart to immediately change credentials just in case. The same goes for a high number of failed login attempts.
Avoid Vulnerable Password Hints
It’s normal for employees to forget their passwords sometimes — one reason why password managers are so helpful for cybersecurity — but many categories of password hints are not as secure as they seem:
- Mother’s maiden name
- Grandfather’s place of birth
- Name of pet
- Best friend growing up
- Street name of childhood home
- Favorite food
This type of information may be publicly available with the help of common background search tools. Also, many people unwittingly share details about pets, favorite foods, sports, music genres, and similar details on social media. Attackers can even directly contact employees using fake profiles to create a profile of likely answers before beginning a password hacking attempt.
Create a Password Blacklist
NIST CSF compliance requires administrators to build a list of prohibited passwords. The specific types of passwords on the blacklist are up to your organization, but you should typically avoid:
- Previously compromised or breached passwords
- Words related to your business
- Proper names or words related to the user’s name
- Commonly chosen passwords (e.g., “password,” princess,” or “monkey”)
- Repetitive numbers and letters (such as “1one2two3three” or abcddcba)
Before allowing employees to change or create a new password, the system should compare their selection against the blacklist, block prohibited terms, and tell the user why.
How Can You Implement NIST Guidelines for Passwords?
NIST guidelines for passwords are only effective if your users follow them. Instead of creating a policy that depends on ideal employee behavior, implement standards that are realistic for everyday work:
- Requiring employees to have an authenticator app on their phone for multifactor authentication
- Setting up periodic training sessions for login security that show common mistakes
- Combining password-creation practice with anti-phishing courses
Establish an approved channel for password resets, such as requiring video chat or in-person visits to authenticate the user.
Are NIST Authentication Recommendations Effective?
The NIST CSF 2.0 helps organizations set up a robust authentication system that combines technology, training, and data-driven policies. The framework emphasizes risk mitigation with preventative measures. This multi-layered approach to authentication is more effective than relying on passwords alone to keep out attackers.
For example, with network monitoring, the system can flag suspicious activity and block logins after a certain number of failed attempts. Automated logouts are also part of NIST compliance, requiring users to re-authenticate after 30 minutes of inactivity.
Why Are the New NIST Password Guidelines Important?
The new NIST controls recognize that there’s a big difference between “ideal” cybersecurity and real-world user behavior. It’s true that an eight-letter password with special characters is harder to break than one with only lowercase letters, but how many users can realistically memorize something like “Rt#Yn%T9y”?
Instead, what usually happened is that employees would write down hard-to-memorize passwords in exposed locations, such as plaintext documents or sticky notes at their desks.
Similarly, requiring frequent password changes generally led users to only shift a few letters. But changing “Good*Monkey*Monday” to “Gud_Munky_Munday” does nothing against today’s cybercriminals. It’s better to have a longer, less complex password or use a strong code recommended by a password manager.
How To Improve Employee Adoption of NIST Password Guidelines
Instead of setting policies and waiting for employees to follow through, track the implementation of NIST password guidelines with automated workflows. Compyl’s cutting-edge compliance solutions help you integrate NIST frameworks from the ground up. Contact us for more information about how you can strengthen security, reduce manual effort, and stay audit-ready with a platform built to adapt to your needs.
