The National Institute of Standards and Technology (NIST) has updated its password guidelines following new research. The U.S. government requires its agencies to follow these guidelines, and many other organizations would benefit from implementing these rules as well.
These practices represent a reasonable standard and will help you keep confidential information safe and protect against breaches.
NIST is a federal agency that promotes U.S. innovation and industry by advancing the nation’s technology and information security infrastructure. Following these updated guidelines can help you improve your password security practices and increase staff efficiency. Next, we’ll take you through recommended practices from the new guidelines and how to comply with them.
Increase password length
Length is a critical component of strong passwords. Longer passwords are statistically less likely to be cracked. Because of this, NIST now requires a minimum length of eight characters for user-generated passwords and six characters for those generated by a machine. NIST says you should set the maximum password length at 64 characters to ensure greater security for more sensitive accounts.
Allow special characters and spaces
Another way of increasing security levels is to allow special characters in passwords. NIST now requires systems to permit passwords that contain special characters, even emojis, and spaces. The new guidelines prohibit sequential (ex: 1234) or repeating (ex: aaaa) characters and dictionary words.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
Permit users to paste text
The guidelines encourage the use of automated systems for added security. For example, password fields must now allow users to paste text using a device’s copy and paste feature. This enables users to use password managers, which can significantly increase security.
Stored passwords must also be hashed and salted (security measures similar to encryption). These are security measures that help to safeguard passwords that are in storage. If put into effect, hackers won’t be able to read your password data even if they manage to steal it.
Outlaw password hints
Password hints are one example of an added security measure that can undermine password security. It’s only too common for users to set hints that make it easy to determine the password. This defeats the purpose of having a password in the first place.
To prevent this, NIST has wholly outlawed the use of password hints. In addition, knowledge-based authentication (KBA) questions like “What street did you grow up on?” are also no longer permitted. These answers are too easily found over the internet and can easily lead to a breach.
Remove periodic password change requirements
Recent studies have shown that company policies that require frequent password changes are counterproductive to good password security. Therefore, NIST recommends removing this requirement, increasing usability, and making password security more user-friendly.
Many industries have had a frequent password change standard for years, so it may take some time before this new standard is commonly observed. But for those who found the previous benchmark unnecessary, this may come as a welcome change.
NIST recommends minimizing password complexity requirements, like the necessary inclusion of upper case letters, symbols, and numbers. As with frequent password change policies, these requirements can result in passwords that decrease usability and hamper employee efficiency. Reducing password complexity can be another significant step on the road to better security practices that employees find easier to manage.
Screen new passwords against commonly used or compromised passwords
A commonly held security practice is screening your users’ passwords against lists of widely held passwords and known compromised passwords. Instead, NIST recommends you utilize software to check proposed passwords against previously held or exposed passwords. This will protect against the hacking practice of trying known passwords in new settings.