Industry Insights with Mike Wilson

NIST Standards , Standards, Regulations & Compliance

Surprising Password Guidelines from NIST

NIST Cyber Security Framework
Surprising Password Guidelines from NIST

NIST finalized new guidelines, substantially revising password security recommendations and upending many of the standards and best practices which security professionals use when forming policies for their companies.

For quick background, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

No more arbitrary password complexity requirements... Like frequent password changes, it's been shown repeatedly that these types of restrictions often result in worse passwords. 

NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.

NIST guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.

NIST 800-63-3: Digital Identity Guidelines has made some long overdue changes when it comes to recommendations for user password management.

The new framework recommends, among other things:

  • Remove periodic password change requirements
    This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change that.
  • Drop the algorithmic complexity song and dance
    No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it's been shown repeatedly that these types of restrictions often result in worse passwords.
  • Require screening of new passwords against lists of commonly used or compromised passwords
    This is one near and dear to our hearts here at Enzoic. One of the best ways to ratchet up the strength of your users' passwords is to screen them against lists of dictionary passwords and known compromised passwords.

All three of these recommendations are things we have been advising for some time now and the NIST password screening recommendation is made trivial with our Password Strength Meter or RESTful API service.

While it wasn't explicitly mentioned in the NIST guidelines, we contend that another important security practice is checking your user credentials against a list of known compromised credentials, something we can also help with. We predict this will show up in their next version soon.



About the Author

Mike Wilson

Mike Wilson

Founder & CTO, Enzoic

Mike C Wilson is the Founder and CTO of Enzoic (formerly PasswordPing), an innovative cyber-security startup that helps enterprises screen for compromised credentials during authentication and in Active Directory. Mike has spent 20 years in software development, with 12 years specifically in the information security space. At Webroot, Mike led the development of Spy Sweeper, Webroot's industry-leading anti-spyware product, and later the development of Webroot's first mobile security product for smartphones. At LogicNow, he was Chief Scientist and again led the development of an anti-malware product, this time introducing enhanced antivirus and web filtering functionality to the Managed Service Provider (MSP) space. Mike started his career in the high-security environment at NASA, working on the mission control center redevelopment project. Mike also founded several successful startups and he has a BS in Computer Science and Aerospace Engineering from Texas A&M. Mike lives in beautiful Boulder, Colorado with his wife and pets.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.