How NIST security standards can help keep your passwords secure in 3 steps

With daily life increasingly occurring online, most users need to create and maintain dozens, if not hundreds, of online accounts, each with logins and passwords. At the same time, data breaches have become routine, and unfortunately, they show few signs of slowing down. In the Bitwarden 2024 Cybersecurity Pulse Survey, 55% of respondents expressed high concern about third-party supply chain attacks originating from vendors, partners, or customers. The National Institute of Standards and Technology (NIST), which operates under the U.S. Commerce Department, is crucial in establishing cybersecurity standards to help mitigate these risks.

So, how do you know if your password is secure? The NIST Cybersecurity Framework offers three simple steps you can take to create more secure passwords.

The National Institute of Standards and Technology (NIST) promotes cybersecurity and protects the nation’s critical infrastructure. As part of the U.S. Department of Commerce, NIST’s mission extends to developing standards, guidelines, and best practices that help organizations manage and reduce cybersecurity risk. One of the most significant contributions from NIST is the NIST Cybersecurity Framework, a comprehensive and widely adopted framework designed to provide a structured approach to managing cybersecurity risk.

The NIST CSF is built around five core functions: Identify, Protect, Detect, Respond, and Recover. These core functions offer a holistic approach to managing cybersecurity risk, ensuring organizations can protect themselves against cyber threats, respond effectively to incidents, and recover swiftly. The NIST CSF provides a robust foundation for everyone from small businesses to federal agency cybersecurity programs, improving alignment with organizational objectives and enhancing overall security posture.

NIST provides a range of recommendations and frameworks across industries, particularly emphasizing the importance of adhering to established standards to help organizations assess their current security profiles and define target profiles for achieving compliance and enhancing their cybersecurity measures.

NIST Special Publication 800-63B – Digital Identity Guidelines - Authentication and Lifecycle Management provides a set of informative recommendations on NIST password guidelines. These guidelines also cover identity management, highlighting its role in managing user identities and controlling access to secure systems.

‘Appendix A – Strength of Memorized Secrets’ provides three simple recommendations that apply to PINs and passphrases.

NIST security standards describe composition rules, such as requiring a digit or symbol, but ultimately decide to focus on length, combined with complexity and randomness. Access control is a crucial component of identity management within cybersecurity.

Put simply, longer passwords are safer – but harder to type and remember. 

If a password is too short, it can be susceptible to a brute force attack, in which a computer or malicious computer program goes through every combination of 8-digit or more characters. The program may also go through the most common passwords, guessing a weak or reused password in a handful of tries.

According to the NIST cybersecurity framework for passwords, which includes specific security controls, “users should be encouraged to make their passwords as lengthy as they want, within reason.”

At just 16 characters, random strings are extremely secure.

9LV9m7GG^33m*qAp

In the same way that it is hard to remember these characters, it is much harder for a computer to guess them, and it would likely take centuries.

A passphrase uses random words together as a password. Some people prefer passphrases because, with just a few words, they provide both strong security and the potential to be remembered or entered manually if needed.

fabric-fool-regime-hamstring-zealous

Websites often require passwords with different letter cases, numbers, and symbols. Humans are more predictable than we assume, and too often, “Password1!,” which technically meets these criteria but is not actually secure, is used.

Of course, complex passwords are harder to remember. The NIST cybersecurity framework for passwords acknowledges this challenge, stating: “Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive.”

Many users reuse the same password far too often. This means a data breach at one website could compromise their security across any website where they have re-used that same password. 

According to the NIST cybersecurity framework for passwords, “secrets that are randomly chosen…will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements.”

Strong and unique passwords – that are long, complex, and random – deliver a powerful first line of defense. These best practices are impossible for humans to maintain, but they are very easy for computer programs to manage.

A password manager lets you create one primary password (recommended to be long, complex, and random) and then use that to encrypt and store your other passwords. You can start with just a few and add more logins to your password manager over time.

Password managers also come with password generators that can create long, complex, and random passwords with the click of a button.

How does the password manager keep your passwords safe? Most start by storing only encrypted versions of those passwords that can only be decrypted by the user. By storing sensitive information with end-to-end encryption, the password manager provider does not know what is in your vault. 

With a password manager in place, users can create long, complex, random, and unique passwords for every website. They can also synchronize passwords across multiple devices and, if desired, share information securely with family, friends, or colleagues. Leveraging a password manager enables users and organizations to remain secure and align with the NIST password guidelines. Risk assessments are essential for updating cybersecurity practices over time, ensuring they adapt to changes in the business environment, technology, and emerging threats.

For more on security in password managers, see our help section on security.

Implementing the NIST Cybersecurity Framework offers numerous benefits to organizations by providing a comprehensive approach to managing cybersecurity risk, helping organizations strengthen their defenses and reduce the likelihood of cyber attacks. Widely adopted by federal agencies and considered a best practice, the NIST CSF also helps organizations demonstrate compliance with regulatory requirements and industry standards. The framework’s structured approach ensures organizations can respond to and recover from cyber incidents more effectively, minimizing damage and downtime.

Overall, implementing the NIST CSF bolsters an organization’s cybersecurity posture, streamlines risk management practices, ensures compliance, and improves incident response and communication. Adopting this framework is a strategic move towards a more secure and resilient cybersecurity program.

Getting started with a password manager is easy and aligns with NIST security standards, which provide structured guidelines for enhancing security and regulatory compliance. You can download Bitwarden for free or begin a trial for your business.

If you are using another password manager, you can easily import that data into Bitwarden.