3 tips from NIST to keep your passwords secure
Our daily lives take place increasingly online. That brings a need to create and maintain dozens, if not hundreds of online accounts, each with logins and passwords.
At the same time, we routinely hear about data breaches, and unfortunately they show few signs of slowing down.
So, how do you know if your password is secure?
The National Institute of Standards and Technology (NIST), founded in 1901, is now part of the U.S. Department of Commerce. NIST provides a range of recommendations and frameworks across industries, but they particularly have excellent resources for cybersecurity.
In NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management, we see a set of informative recommendations on NIST password management and password security.
'Appendix A - Strength of Memorized Secrets' provides three simple recommendations, applying them also to PINs and passphrases.
NIST password guidelines describe composition rules, such as requiring a digit or symbol, but ultimately decide to focus on length, combined with complexity and randomness.
Here’s the simple equation. Longer passwords are safer. But they are harder to use and harder to remember. We’ll address this later.
If the password is too short, it can be susceptible to a brute force attack, where a computer, or malicious computer program, goes through every combination of characters of 8 digits, or more. The program may also go through the most common passwords, guessing in a handful of tries.
According to NIST, “users should be encouraged to make their passwords as lengthy as they want, within reason.”
At just 14 characters, random strings are extremely secure.
In the same way that it is hard for you to remember these characters, it is much harder for a computer to guess them, and would likely take centuries.
A passphrase uses random words together as a password. Some people prefer passphrases because with just a few words they provide both strong security and the potential to be remembered or entered manually if needed.
Websites often require password complexity, with different letter cases, numbers, and symbols. Humans are far less creative, or more connected, than we assume, and too often Password1!, which is technically “complex”, is used.
So while password complexity is often imposed by websites, it is incomplete until we remove the human element in creating a complex password. Security-conscious sites might offer a recommended random password. And while likely safe, many users would rightfully prefer to create their own password.
Of course, complex passwords are hard to remember, and we will address this shortly.
As expected, users choose the same password far too often. They also frequently re-use that password. This means that a data breach at one website could compromise their security across any website where they have re-used the same password. This could be the difference between happy internet surfing and the misery of identity theft.
According to NIST password recommendations, “secrets that are randomly chosen...will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements.”
Passwords, still ubiquitous across websites and applications, deliver a powerful first line of defense for internet users. This is especially true when users create long, complex, and random passwords for each website.
All of these best practices make it impossible to manage as a human being, but very easy to manage for a computer and computer program.
If you align with NIST password best practices so far, and follow the math of what is hard to guess, every password you use for every website should be unique, as well as
14 characters long or more
Clearly there is no way to do this, except for with the help of a password manager, such as Bitwarden.
A password manager lets you create one primary password (recommended to be long, complex, and random) and then use that to encrypt and store your other passwords. You can start with just a few, and add more passwords to your password manager over time.
Password managers also come with password generators so you can create long, complex, and random passwords with the click of a button.
How does the password manager keep your passwords safe? Most start by ensuring that they do not store your passwords, but only encrypted versions that can only be decrypted by the user themselves. The password manager provider, by storing your information with end-to-end encryption, does not know your secure information and cannot derive it in any way, even if the company tried.
For more on security in password managers, see our help section on security.
With a password manager in place, users can create unique passwords for every website that are long, complex, and random. They can also synchronize passwords across multiple devices and if desired, share information securely with family, friends or colleagues.
If you are using another password manager, you can import that data into Bitwarden.
Bitwarden Password Generatorhttps://bitwarden.com/password-generator/
Password Strength Testing Toolhttps://bitwarden.com/password-strength/
NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Managementhttps://pages.nist.gov/800-63-3/sp800-63b.html
NIST Special Publication 800-63B - Appendix A - Strength of Memorized Secrets
Editor's Note: This article was originally written on May 18, 2021 and was updated on August 11th, 2022.