NIST password policy: Tips to keep your password secure

People rely on more online accounts than ever, increasing the number of passwords they need to manage while cyber threats and data breaches continue to rise. According to the Bitwarden Password Decisions Survey, 60% of independent IT decision-makers across a range of industries reported their organization experienced a cyberattack within the past year.

So, how do you know if your password is secure? Following the NIST password recommendations is a good start.

The National Institute of Standards and Technology (NIST), founded in 1901, is now part of the U.S. Department of Commerce. NIST develops industry-wide frameworks and guidelines, including a range of cybersecurity recommendations and resources. It advises against the use of knowledge-based authentication methods, such as personal questions, due to their susceptibility to being easily guessed. Instead, NIST recommends three simple principles for securing passwords, PINs, and passphrases: they should be long, complex, and random.

Why NIST password guidelines matter

NIST password guidelines play a crucial role in ensuring the security and integrity of sensitive information. By adhering to these guidelines, organizations can protect themselves against a myriad of cyber threats, including password spraying and credential stuffing attacks, phishing, and identity theft. The NIST password guidelines provide a comprehensive framework for creating strong and unique passwords, managing credential security, and implementing best practices for password management. Organizations that follow these guidelines can significantly reduce the risk of data breaches, protect sensitive information, and maintain the trust of their customers and stakeholders. These guidelines are not just about creating secure passwords, but also about fostering a culture of robust password management and security.

NIST password guidelines describe composition rules, such as requiring a digit or symbol, but ultimately decide to focus on password length, combined with complexity and randomness.

Long length

Here’s the simple equation. Longer passwords are safer. But they are harder to use and harder to remember.

If the password is too short, it can be susceptible to a brute force attack, where a malicious computer program goes through every combination of characters of 8 digits or more. The program may also go through the most common passwords, guessing in a handful of tries.

According to the NIST password guidelines, “users should be encouraged to make their passwords as lengthy as they want, within reason.” NIST recommends that user generated passwords should be at least 15 characters long to ensure better security. The below example is a random string that is extremely secure.

9LV9m7GG^33m*q!

In the same way that it is hard for you to remember these characters, it is much harder for a computer to guess them, and would likely take centuries. 

A passphrase is a sequence of random words used as a password. Many users prefer passphrases because they offer strong security while remaining easier to remember and manually enter when needed. 

According to NIST guidelines, passphrases should be at least 15 characters long and avoid predictable patterns, common phrases, or dictionary words that attackers could easily guess. Using a mix of uppercase and lowercase letters, numbers, and symbols can further strengthen passphrase security. Below is an example of a randomly generated, secure passphrase:

fabric-fool-regime-hamstring-zealous

Strong and complex

Websites often require password complexity, with different letter cases, numbers, and symbols. Humans are far less creative than we assume–too often Password1!, which is technically “complex”, is used.

So while password complexity is often imposed by websites, it is incomplete until we remove the human element in creating a complex password. Security-conscious sites might offer a recommended random password. And while likely safe, many users would rightfully prefer to create their own. Including Unicode characters in passwords can further enhance their complexity and security.

Complex passwords are hard to remember. The NIST password guidelines acknowledge this challenge, stating “length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive.”

Random

As expected, users choose the same password far too often. They also frequently re-use that password. This means that a data breach at one website could compromise their security across any website or account where they have re-used the same password. This could be the difference between a safe online experience and the misery of identity theft.

Avoiding weak passwords is crucial, as they can be easily exploited by hackers. According to the NIST password guidelines, “secrets that are randomly chosen…will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements.” Passwords, still ubiquitous across websites and applications, ensure a robust first line of defense for internet users. This is especially true when users create strong, unique, and random passwords for each website.

All of these best practices make it impossible to maintain strong password security as an individual, but very easy to achieve when using software solutions like a password manager.

One of the key recommendations from the NIST password guidelines is to avoid requiring users to periodically change their passwords. This might seem counterintuitive at first, but frequent password changes can actually lead to weaker passwords. When users are forced to change their passwords regularly, they may resort to easily guessable passwords or reuse old ones, ultimately undermining security.

Instead, NIST recommends that passwords should only be changed when there is evidence that a password or credential has been compromised. This approach strikes a balance between security and usability, making it easier for users to manage their passwords while maintaining the security of organizational systems and data. By following this recommendation, organizations can better ensure that their users create and maintain strong, secure passwords without the frustration of frequent changes.

Compromised passwords pose a significant threat to organizational security. According to the NIST password guidelines, it’s essential for organizations to have a robust process in place for detecting and responding to compromised credentials. This includes monitoring for suspicious activities, such as multiple failed login attempts, and implementing a system for reporting and addressing password-related incidents.

NIST also recommends the use of password managers to securely store and manage passwords. Password managers can generate and store strong, unique passwords for each account, reducing weak or reused password risks and making it easier to maintain secure passwords. Additionally, implementing multifactor authentication (MFA) adds an extra layer of protection to the login process, making it more difficult for attackers to gain unauthorized access.

By following these guidelines, organizations can significantly reduce the risk of compromised passwords and protect their digital assets. Ensuring comprehensive password management and security practices is essential for safeguarding sensitive information and minimizing the financial and reputational consequences of a data breach.

If you align with the NIST password guidelines so far, and follow the math of what is hard to guess, every password you use for every website should be unique, as well as

• 15 characters long or more

• Strong and complex

• Random

There is no way for an individual to effectively meet these standards without the help of a password manager, such as Bitwarden. Password managers simplify password management by allowing users to create and store strong and unique passwords.

A password manager lets you create one primary password (recommended to be long, strong, and unique) and then use that to encrypt and store your other passwords. You can start with just a few and add more passwords to your password manager over time. Password managers also come with password generators to automate strong and unique password creation with the click of a button.

How does the password manager keep your passwords safe? Most start by ensuring that they do not store your passwords, but only encrypted versions that can only be decrypted by the user themselves. The password manager provider, by storing your information with end-to-end zero knowledge encryption, does not know your secure information and cannot derive it in any way, even if the company tried.

For more on security in password managers, see our help section on security.

With a password manager in place, users can create strong and unique passwords for every website. They can also synchronize passwords across multiple devices and if desired, share information securely with family, friends, or colleagues. Leveraging a password manager enables users and organizations to remain secure and align with the NIST password guidelines.

Getting started with a password manager is easy. If you do not have one in place, you can download Bitwarden for free, or begin a trial for your business.

Using a password manager can also streamline password resets, making it easier to update and manage passwords securely. If you are using another password manager, you can import that data into Bitwarden.