The State of Password Security 2022 Report background image.

The State of Password Security 2022 Report

A report and assessment of security advice from U.S. Federal Agencies.

Assessing the State of Password Security within U.S. Federal Agencies

Recent years have brought an intense focus on cybersecurity across the United States Federal Government with many agencies leading the way in educating government organizations and businesses large and small, as well as consumers.

However, when it comes to password security, not every agency is singing the same tune. One of the foremost groups, the National Institute of Standards and Technology (NIST), offers excellent advice but its recommendations have not yet been universally accepted.

Technology moves fast. For business and individuals, so much of our lives are now online in a myriad of accounts that range from fun entertainment sites to serious financial business like our bank accounts.

The goal of this assessment is to engage and educate everyone who uses passwords on the best practices coming from the federal government and where there is room for improvement. There are many within the federal government who have a solid educational approach to password security, and there are others that might need a bit of assistance to modernize.

Fortunately, consensus is building on best practices for password security. This report consolidates and assesses the details.

Guideline to Password Security Ratings System

The rating system ranks agencies based on adherence to the following criteria:

Very Good

Very Good - State of Password Security |
Very Good - State of Password Security
  • Recommends use of a password manager

  • Calls out importance of strong passwords

  • Cites need for 2FA/MFA to further support password security

  • Overall security advice is up-to-date and adheres to NIST guidelines

  • Lays out password security recommendations in a clear, digestible, and easy-to-find manner


Good - State of Password Security |
Good - State of Password Security
  • Calls out importance of strong passwords

  • Cites need for 2FA/MFA to further support password security

  • Overall security advice is up-to-date and adheres to NIST guidelines

  • Lays out password security recommendations in a clear, digestible, and easy-to-find manner


Fair - State of Password Security |
Fair - State of Password Security
  • Calls out need for password security but does not mention 2FA/MFA

  • Overall security advice is up-to-date and adheres to NIST guidelines

  • Information is not laid out in a clear, digestible, or easy-to-find manner

Room for Improvement

Room for Improvement - State of Password Security |
Room for Improvement - State of Password Security
  • Offers inaccurate and misguided password security advice OR does not mention passwords or password security

  • Does not adhere to NIST guidelines

  • Information is not laid out in a clear, digestible, or easy-to-find manner

National Institute of Standards and Technology (NIST)

NIST Risk Management Framework | IA-5(18)

Agency Advice:

  • Authenticator Management | Password Managers

    • Employ [Assignment: Organization-defined password managers] to generate and manage passwords; and

      • Protect the passwords using [assignment: organization-defined controls].

      • For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords and storing the collection offline in a token.

  • Reference

Digital Identity Guidelines

Agency Advice:

  • Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

  • Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.

  • When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

    • Passwords obtained from previous breach corpuses.

    • Dictionary words.

    • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).

    • Context-specific words, such as the name of the service, the username, and derivatives thereof.

    • If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

  • Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (and likely very weak) memorized secrets [Blacklists].

  • Verifiers SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.

  • Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

  • Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

  • Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [FIPS 198-1], any approved hash function in SP 800-107, Secure Hash Algorithm 3 (SHA-3) [FIPS 202], CMAC [SP 800-38B] or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [SP 800-185]. The chosen output length of the key derivation function SHOULD be the same as the length of the underlying one-way function output.

  • The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes. Both the salt value and the resulting hash SHALL be stored for each subscriber using a memorized secret authenticator.

  • The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:

    • Something you know (e.g., a password).

    • Something you have (e.g., an ID badge or a cryptographic key).

    • Something you are (e.g., a fingerprint or other biometric data).

      • MFA refers to the use of more than one of the above factors. The strength of authentication systems is largely determined by the number of factors incorporated by the system — the more factors employed, the more robust the authentication system. For the purposes of these guidelines, using two factors is adequate to meet the highest security requirements.

  • Reference

The White House

Federal Zero Trust Strategy

Agency Advice:

  • MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach.

  • Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems. However, when passwords are in use, they are a “factor” in multi-factor authentication. If outdated password requirements lead agency staff to reuse passwords from their personal life, store passwords insecurely, or otherwise use weak passwords, adversaries will find it much easier to obtain unauthorized account access—even within a system that uses MFA.

  • Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government. These policies should be removed by agencies as soon as is practical and should not be contingent on adopting other protections.

  • Reference

Protecting against malicious cyber activity

Agency Advice:

  • Change Passwords and Mandate Multi-Factor Authentication (MFA). Ask your IT staff how long it has been since employees changed their passwords. Many criminals use stolen credentials, so forcing a reset (with adequate length and complexity) before the holidays can deny malicious actors access to your systems. At the same time, confirm that your organization has implemented MFA and that it is required without exception. If you have MFA available, but are not requiring it, change that – require all staff to use the security technology that you have already acquired. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into key systems.

  • Reference

Fact sheet: Initiatives to bolster nation’s cybersecurity

Agency Advice:

  • Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Amazon also announced it will make available to all Amazon Web Services account holders at no additional cost, a multi-factor authentication device to protect against cybersecurity threats like phishing and password theft.

  • Reference

Memo to nation’s leaders

Agency Advice:

  • Implement the five best practices from the President’s Executive Order: President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multi-factor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack.

  • Reference

Cybersecurity and Infrastructure Security Agency (CISA)

Reminder for critical infrastructure

Agency Advice:

  • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.

  • Implement multi-factor authentication for remote access and administrative accounts.

  • Mandate strong passwords and ensure they are not reused across multiple accounts.

  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.

  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness.

  • Reference

Preparing for and mitigating cyber threats

Agency Advice:

  • Increase organizational vigilance by ensuring there are no gaps in Information Technology (IT)/Operational Technology (OT) security personnel coverage and that staff provides continual monitoring for all types of anomalous behavior. Security coverage is particularly important during the winter holiday season when organizations typically have lower staffing.

  • Prepare your organization for rapid response by adopting a state of heightened awareness. Create, update, or review your cyber incident response procedures and ensure your personnel are familiar with the key steps they need to take during and following an incident. Have staff check reporting processes and exercise continuity of operations plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment. Consider your organization’s cross-sector dependencies and the impact that a potential incident at your organization may have on other sectors, as well as how an incident at those sectors could affect your organization.

  • Ensure your network defenders implement cybersecurity best practices. Enforce multi-factor authentication and strong passwords, install software updates (prioritizing known exploited vulnerabilities), and secure accounts and credentials.

  • Stay informed about current cybersecurity threats and malicious techniques. Encourage your IT/OT security staff to subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

  • Lower the threshold for threat and information sharing. Immediately report cybersecurity incidents and anomalous activity to CISA and/or the FBI.

  • Reference

The National Security Agency (NSA)

Cisco Password Types: Best Practices

Agency Advice:

  • The rise in the number of compromises of network infrastructures in recent years is a reminder that authentication to network devices is an important consideration. Network devices could be compromised due to:

    • Poor password choice (vulnerable to brute force password spraying)

    • Router configuration files (which contain hashed passwords) sent via unencrypted email, or

    • Reused passwords (where passwords recovered from a compromised device can then be used to compromise other devices).

  • Using passwords by themselves increases the risk of device exploitation. While NSA strongly recommends multi-factor authentication for administrators managing critical devices, sometimes passwords alone must be used. Choosing good password storage algorithms can make exploitation much more difficult.

  • To provide as much protection as possible, use strong passwords to prevent them from being cracked and converted to plaintext. Comply with a password policy that:

    • Consists of a combination of lowercase and uppercase letters, symbols, and numbers;

    • Is at least 15 alphanumeric characters; and

    • Patterns that are not:

      • A keyboard walk

      • The same as a user name

      • The default password

      • The same as a password used anywhere else

      • Related to the network, organization, location, or other function identifiers

      • Straight from a dictionary, common acronyms, or easy to guess

  • The importance of implementing password security for Cisco network devices will greatly decrease the chances of any network being compromised. If one is mindful of the hash and encryption algorithms that are available within Cisco devices, more secure configurations can be set to prevent password exposure as follows:

    • Use password Type 8. Do not use Types 0, 4, and 7. Only use Type 5 when Types 6, 8, and 9 are not available, and upgrade hardware and software to support modern hash algorithms. Use password Type 6 when reversible encryption must be used.

    • Use strong password policies to get into privilege EXEC mode. Along with using strong password hash and encryption algorithms, creating a password that is very difficult to guess can prevent a network compromise. A complex password can prevent an unauthorized user from gaining elevated privileges and exposing the configuration file.

    • Use privilege levels. Do not apply level 15 to all user accounts. Provision various privileged levels to user accounts and commands based on user roles.

  • Reference

Keeping Safe on Social Media

Agency Advice:

  • Secure and strengthen your passwords Use unique and strong passwords for each online account. Reusing passwords across multiple accounts can expose data from all of the accounts if the password is discovered. Make sure that your password is of adequate length and complexity, using a combination of letters, numbers, and special characters. Where possible, implement multi-factor authentication using an authentication token or app so that someone can’t U/OO/ | PP-19-1728 and PP-20-0535 | AUG 2021 Ver 1.1 5 NSA | Keeping Safe on Social Media access your account even if your password is compromised. Never share passwords and avoid using information that could be guessed based on your social media profiles or public information.

  • Reference

Mobile Device Best Practices

Agency Advice:

  • Use strong lock-screen pins/passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts. Set the device to lock automatically after 5 minutes.

  • Reference

Selecting Secure Multi-factor Authentication Solutions

Agency Advice:

  • Single response, multi-factor authentication mechanisms require activation of the device, either with a PIN/password or biometric. The device provides ‘what you have’ and activation of the device implies that ‘what-you-know’ or ‘what-you-are’ has been verified.

  • On the other hand, multi-step authenticators often include a password to provide ‘what-you-know’ and another authenticator that provides ‘what-you-have’. U.S. Government agencies should consider requirements for PIN/password activation as well as for the passwords that are used directly to provide ‘what-you-know’. Guidelines in SP 800-63-3 Part B indicate that memorized secrets (both for activation and as a single factor authenticator) must be at least 6-to-8 characters, and recommends higher password strength for user selected passwords. When determining password requirements, note that multi-factor devices should integrate strict thresholds to address password guessing attacks, whereas verifiers might employ less stringent threshold mechanisms that warrant passwords that are used directly have higher strength requirements.

  • Reference

Department of Homeland Security

CISA falls under the DHS

Cybersecurity page

Agency Advice:

  • President Biden has made cybersecurity, a critical element of the Department of Homeland Security’s (DHS) mission, a top priority for the Biden-Harris Administration at all levels of government.

  • To advance the President’s commitment, and to reflect that enhancing the nation’s cybersecurity resilience is a top priority for DHS, Secretary Mayorkas issued a call for action dedicated to cybersecurity in his first month in office. This call for action focused on tackling the immediate threat of ransomware and on building a more robust and diverse workforce.

  • In March 2021, Secretary Mayorkas outlined his broader vision and a roadmap for the Department’s cybersecurity efforts in a virtual address hosted by RSA Conference, in partnership with Hampton University and the Girl Scouts of the USA.

  • After his presentation, the Secretary was joined by Judith Batty, Interim CEO of the Girls Scouts, for a fireside chat to discuss the unprecedented cybersecurity challenges currently facing the United States. Dr. Chutima Boonthum-Denecke from Hampton University’s Computer Science Department introduced the Secretary and facilitated a Q&A to close the program.

  • Reference

Federal Bureau of Investigation (FBI)

Scams and safety on internet

Agency Advice:

  • Keep Your Firewall Turned On

    A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.

  • Install or Update Your Antivirus Software

    Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

  • Install or Update Your Antispyware Technology

    Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.

  • Keep Your Operating System Up to Date

    Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.

  • Be Careful What You Download

    Carelessly downloading email attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.

  • Turn Off Your Computer

    With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.

  • Reference

Scams and Safety Business Emails

Agency Advice:

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.

  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.

  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.

  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.

  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.

  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.

  • Be especially wary if the requestor is pressing you to act quickly.

  • Reference

Department of Commerce

NIST falls under the Department of Commerce


Agency Advice:

Federal Communications Commission (FCC)

Cybersecurity and network reliability

Agency Advice:

  • The FCC’s responsibility is to ensure the reliability and resiliency of the Nation’s communications network and to promote public safety through communications. The FCC, because of its relationship with the nation’s communications network service providers, is particularly well positioned to work with industry to secure the networks upon which the Internet depends.

  • Over the years, the FCC has worked through its Federal Advisory Committee, the Communications Security, Reliability, and Interoperability Council – CSRIC – to develop voluntary industry wide best practices that promote reliable networks, including for 911 calling. CSRIC and its working groups are made up of industry leaders, academics, and innovators in communications, Federal partners, public safety entities, state and local government officials, and Internet registries.

  • CSRIC will release a series of recommendations in March 2012 to address the most pressing threats to our cyber security, and suggest frameworks for possible solutions. We believe the most pressing cyber security threats are botnets, domain name fraud, and Internet route hijacking.

  • Reference

Cybersecurity tip sheet for small businesses

  • Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

  • Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

  • Reference


There are many steps you can take to stay safe online, but the simplest action with the most significant and immediate impact on your security is to use a password manager. Choose a cross-platform password manager with zero knowledge end-to-end encryption that can generate and store unlimited unique and strong passwords. You can get started with Bitwarden on a free account or opt for Premium for less than $10/year to get advanced features like 2FA and Emergency Access.

Secure Your Business Data with End-to-End Encryption

Choose the right Bitwarden plan for your business and start your free 7-day trial today.

For Teams & Business
Unlimited Users
Upgrade anytime
per user/month
  • All Premium Features, Plus:
  • Unlimited Collections & Items
  • Directory Connector
  • API access
  • 24/7 Priority Tech Support
For Enterprise
Unlimited Users
Expand anytime
per user/month
  • All Teams Features, Plus:
  • Self-Hosting Deployment Option
  • SSO Authentication
  • Enterprise Policies
For Teams & Business
Free for Everyone
Every Wednesday at 12 pm ET
See a Live Demo
Join us to see Bitwarden in action.
© 2023 Bitwarden, Inc.