Our daily lives take place increasingly online. That brings a need to create and maintain dozens, if not hundreds of online accounts, each with logins and passwords.
At the same time, we routinely hear about data breaches, and unfortunately they show few signs of slowing down. In the Bitwarden 2023 Password Decisions Survey, 60% of independent IT decision-makers across a range of industries reported their organization experienced a cyberattack within the past year.
So, how do you know if your password is secure?
The National Institute of Standards and Technology (NIST), founded in 1901, is now part of the U.S. Department of Commerce. NIST provides a range of recommendations and frameworks across industries, but they particularly have excellent resources for cybersecurity.
In NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management, we see a set of informative recommendations on NIST password guidelines.
'Appendix A - Strength of Memorized Secrets' provides three simple recommendations, applying them also to PINs and passphrases.
NIST password guidelines describe composition rules, such as requiring a digit or symbol, but ultimately decide to focus on length, combined with complexity and randomness.
Here’s the simple equation. Longer passwords are safer. But they are harder to use and harder to remember. We’ll address this later.
If the password is too short, it can be susceptible to a brute force attack, where a computer, or malicious computer program, goes through every combination of characters of 8 digits, or more. The program may also go through the most common passwords, guessing in a handful of tries.
According to the NIST password guidelines, “users should be encouraged to make their passwords as lengthy as they want, within reason.”
At just 14 characters, random strings are extremely secure.
In the same way that it is hard for you to remember these characters, it is much harder for a computer to guess them, and would likely take centuries.
A passphrase uses random words together as a password. Some people prefer passphrases because with just a few words they provide both strong security and the potential to be remembered or entered manually if needed.
Websites often require password complexity, with different letter cases, numbers, and symbols. Humans are far less creative, or more connected, than we assume, and too often Password1!, which is technically “complex”, is used.
So while password complexity is often imposed by websites, it is incomplete until we remove the human element in creating a complex password. Security-conscious sites might offer a recommended random password. And while likely safe, many users would rightfully prefer to create their own password.
Of course, complex passwords are hard to remember. The NIST password guidelines acknowledge this challenge, stating “Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive.”
We address the solution to this shortly.
As expected, users choose the same password far too often. They also frequently re-use that password. This means that a data breach at one website could compromise their security across any website where they have re-used the same password. This could be the difference between happy internet surfing and the misery of identity theft.
According to the NIST password guidelines, “secrets that are randomly chosen...will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements.”
Passwords, still ubiquitous across websites and applications, deliver a powerful first line of defense for internet users. This is especially true when users create long, complex, and random passwords for each website.
All of these best practices make it impossible to manage as a human being, but very easy to manage for a computer and computer program.
If you align with the NIST password guidelines so far, and follow the math of what is hard to guess, every password you use for every website should be unique, as well as
14 characters long or more
Clearly there is no way to do this, except for with the help of a password manager, such as Bitwarden.
A password manager lets you create one primary password (recommended to be long, complex, and random) and then use that to encrypt and store your other passwords. You can start with just a few, and add more passwords to your password manager over time.
Password managers also come with password generators so you can create long, complex, and random passwords with the click of a button.
How does the password manager keep your passwords safe? Most start by ensuring that they do not store your passwords, but only encrypted versions that can only be decrypted by the user themselves. The password manager provider, by storing your information with end-to-end encryption, does not know your secure information and cannot derive it in any way, even if the company tried.
For more on security in password managers, see our help section on security.
With a password manager in place, users can create unique passwords for every website that are long, complex, and random. They can also synchronize passwords across multiple devices and if desired, share information securely with family, friends, or colleagues. Leveraging a password manager enables users and organizations to remain secure and align with the NIST password guidelines.
If you are using another password manager, you can import that data into Bitwarden.
Editor's Note: This article was originally written on May 18, 2021 and was updated on September 13th, 2023.