The State of Password Security 2023 Report background image.

The State of Password Security 2023 Report

How federal agencies are addressing password security

Assessing the State of Password Security within U.S. Federal Agencies

Recent years have brought an intense focus on cybersecurity across the United States Federal Government with many agencies leading the way in educating government organizations and businesses large and small, as well as consumers.

However, when it comes to password security, not every agency is singing the same tune. One of the foremost groups, the National Institute of Standards and Technology (NIST),“develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.”

The NIST cybersecurity page goes on to say that “some NIST cybersecurity assignments are defined by federal statutes, executive orders and policies. For example, the Office of Management and Budget (OMB) mandates that all federal agencies implement NIST’s cybersecurity standards and guidance for non-national security systems.”

Unfortunately, NIST’s recommendations have not yet been universally accepted and implemented by federal agencies. And while NIST sets the standards that agencies purport to follow, even it has its own weakness in the form of a disorganized website. 

Technology moves fast. For business and individuals, so much of our lives are now online in a myriad of accounts that range from fun entertainment sites to serious financial business like our bank accounts.

The goal of this assessment is to engage and educate everyone who uses passwords on the best practices coming from the federal government and where there is room for improvement. There are many within the federal government who have a solid educational approach to password security, and there are others that might need a bit of assistance to modernize. 

Fortunately, consensus is building on best practices for password security. This report consolidates and assesses the details.

The State of Password Security: How federal agencies are addressing password security

Guideline to Password Security Ratings System

The rating system ranks agencies based on adherence to the following criteria:

Password Security Ranking: Excellent |
  • Recommends use of a password manager

  • Calls out importance of strong passwords

  • Cites need for 2FA/MFA to further support password security

  • Overall security advice is up-to-date and adheres to NIST guidelines

  • Lays out password security recommendations in a clear, digestible, and easy-to-find manner

Password Security Ranking: Very Good |
  • Recommends use of a password manager

  • Calls out importance of strong passwords 

  • Cites need for 2FA/MFA to further support password security

  • Overall security advice is up-to-date and adheres to NIST guidelines

  • Does not lay out password security recommendations in a clear, digestible, and easy-to-find manner

Password Security Ranking: Good |
  • Does not recommend use of a password manager

  • Calls out importance of strong passwords 

  • Cites need for 2FA/MFA to further support password security

  • Overall security advice is not up-to-date and does not adhere to NIST guidelines

  • Does not lay out password security recommendations in a clear, digestible, and easy to find manner

Password Security Ranking: Fair |
  • Does not recommend use of a password manager

  • Calls out importance of strong passwords

  • Does not consistently cite the need for 2FA/MFA to further support password security

  • Overall security advice is not up-to-date and does not adhere to NIST guidelines

  • Does not lay out password security recommendations in a clear, digestible, and easy to find manner

Password Security Ranking: Room for Improvement |
  • Does not recommend use of a password manager

  • Does not call out importance of strong passwords

  • Does not cite the need for 2FA/MFA to further support password security

  • Overall security advice is not up-to-date and does not adhere to NIST guidelines

  • Does not lay out password security recommendations in a clear, digestible, and easy to find manner

National Institute of Standards and Technology (NIST)

NIST Risk Management Framework | IA-5(18)

Agency Advice:

  • Authenticator Management | Password Managers

    • Employ [Assignment: Organization-defined password managers] to generate and manage passwords; and

      • Protect the passwords using [assignment: organization-defined controls].

      • For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords and storing the collection offline in a token.

  • Reference

Digital Identity Guidelines

Agency Advice:

  • Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

  • Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.

  • When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

    • Passwords obtained from previous breach corpuses.

    • Dictionary words.

    • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).

    • Context-specific words, such as the name of the service, the username, and derivatives thereof.

    • If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

  • Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (and likely very weak) memorized secrets [Blacklists].

  • Verifiers SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.

  • Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

  • Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

  • Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [FIPS 198-1], any approved hash function in SP 800-107, Secure Hash Algorithm 3 (SHA-3) [FIPS 202], CMAC [SP 800-38B] or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [SP 800-185]. The chosen output length of the key derivation function SHOULD be the same as the length of the underlying one-way function output.

  • The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes. Both the salt value and the resulting hash SHALL be stored for each subscriber using a memorized secret authenticator.

  • The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:

    • Something you know (e.g., a password).

    • Something you have (e.g., an ID badge or a cryptographic key).

    • Something you are (e.g., a fingerprint or other biometric data).

      • MFA refers to the use of more than one of the above factors. The strength of authentication systems is largely determined by the number of factors incorporated by the system — the more factors employed, the more robust the authentication system. For the purposes of these guidelines, using two factors is adequate to meet the highest security requirements.

  • Reference

The White House

A Proclamation on Cybersecurity Awareness Month, 2022

  • Cybersecurity is not limited to Government or critical infrastructure.  Hackers target Americans every day, and cybersecurity is about protecting the American people and the services we rely on.  This month, I encourage all Americans to increase their cybersecurity at home, at work, and in schools by taking steps such as enabling multi-factor authentication, using a trusted password manager and strong passwords, recognizing and reporting phishing, and updating their software regularly.  As the threat of malicious cyber activities grows, we must all do our part to keep our Nation safe and secure.

  • Reference

Federal Zero Trust Strategy

Agency Advice:

  • MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. 

  • Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems. However, when passwords are in use, they are a “factor” in multi-factor authentication. If outdated password requirements lead agency staff to reuse passwords from their personal life, store passwords insecurely, or otherwise use weak passwords, adversaries will find it much easier to obtain unauthorized account access—even within a system that uses MFA.

  • Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government. These policies should be removed by agencies as soon as is practical and should not be contingent on adopting other protections. 

  • Reference

Protecting against malicious cyber activity

Agency Advice:

  • Change Passwords and Mandate Multi-Factor Authentication (MFA). Ask your IT staff how long it has been since employees changed their passwords. Many criminals use stolen credentials, so forcing a reset (with adequate length and complexity) before the holidays can deny malicious actors access to your systems. At the same time, confirm that your organization has implemented MFA and that it is required without exception. If you have MFA available, but are not requiring it, change that – require all staff to use the security technology that you have already acquired. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into key systems.

  • Reference

Memo to nation’s leaders

Agency Advice:

  • Implement the five best practices from the President’s Executive Order: President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack.

  • Reference

Cybersecurity and Infrastructure Security Agency (CISA)

Cyber Lessons

Cyber lessons on passwords, CISA |
Cyber lessons on passwords, CISA

Reminder for critical infrastructure

Agency Advice:

  • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack. 

  • Implement multi-factor authentication for remote access and administrative accounts.

  • Mandate strong passwords and ensure they are not reused across multiple accounts. 

  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored. 

  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness. 

  • Reference

Security Tip

Agency Advice:

  • Improve password security. Passwords are one of the most vulnerable cyber defenses. Improve your password security by doing the following

  • Create a strong password. Use a strong password that is unique for each device or account. Longer passwords are more secure. An option to help you create a long password is using a passphrase—four or more random words grouped together and used as a password. To create strong passwords, the National Institute of Standards and Technology (NIST) suggests using simple, long, and memorable passwords or passphrases. (See Choosing and Protecting Passwords.)

  • Consider using a password manager. Password manager applications manage different accounts and passwords while having added benefits, including identifying weak or repeated passwords. There are many different options, so start by looking for an application that has a large install base (e.g., 1 million plus) and an overall positive review. Properly using one of these password managers may help improve your overall password security.

  • Use multi-factor authentication, if available. Multi-factor authentication (MFA) is a more secure method of authorizing access. It requires two out of the following three types of credentials: something you know (e.g., a password or personal identification number [PIN]), something you have (e.g., a token or ID card), and something you are (e.g., a biometric fingerprint). Because one of the required credentials requires physical presence, this step makes it more difficult for a threat actor to compromise your device. (See Supplementing Passwords.)

  • Reference

The National Security Agency (NSA)

Cisco Password Types: Best Practices

Agency Advice:

  • The rise in the number of compromises of network infrastructures in recent years is a reminder that authentication to network devices is an important consideration. Network devices could be compromised due to:

    • Poor password choice (vulnerable to brute force password spraying)

    • Router configuration files (which contain hashed passwords) sent via unencrypted email, or  

    • Reused passwords (where passwords recovered from a compromised device can then be used to compromise other devices). 

  • Using passwords by themselves increases the risk of device exploitation. While NSA strongly recommends multi-factor authentication for administrators managing critical devices, sometimes passwords alone must be used. Choosing good password storage algorithms can make exploitation much more difficult.

  • To provide as much protection as possible, use strong passwords to prevent them from being cracked and converted to plaintext. Comply with a password policy that:  

    • Consists of a combination of lowercase and uppercase letters, symbols, and numbers;  

    • Is at least 15 alphanumeric characters; and  

    • Patterns that are not:  

      • A keyboard walk  

      • The same as a user name  

      • The default password  

      • The same as a password used anywhere else  

      • Related to the network, organization, location, or other function identifiers  

      • Straight from a dictionary, common acronyms, or easy to guess

  • Reference

Keeping Safe on Social Media

Agency Advice:

  • Secure and strengthen your passwords 

    • Use unique and strong passwords for each online account. Reusing passwords across multiple accounts can expose data from all of the accounts if the password is discovered. Make sure that your password is of adequate length and complexity, using a combination of letters, numbers, and special characters. Where possible, implement multi-factor authentication using an authentication token or app so that someone can’t U/OO/ | PP-19-1728 and PP-20-0535 | AUG 2021 Ver 1.1 5 NSA | Keeping Safe on Social Media access your account even if your password is compromised. Never share passwords and avoid using information that could be guessed based on your social media profiles or public information.

  • Reference

Selecting Secure Multi-factor Authentication Solutions

Agency Advice:

  • Single response, multi-factor authentication mechanisms require activation of the device, either with a PIN/password or biometric. The device provides ‘what you have’ and activation of the device implies that ‘what-you-know’ or ‘what-you-are’ has been verified. 

  • On the other hand, multi-step authenticators often include a password to provide ‘what-you-know’ and another authenticator that provides ‘what-you-have’. U.S. Government agencies should consider requirements for PIN/password activation as well as for the passwords that are used directly to provide ‘what-you-know’. Guidelines in SP 800-63-3 Part B indicate that memorized secrets (both for activation and as a single factor authenticator) must be at least 6-to-8 characters, and recommends higher password strength for user selected passwords. When determining password requirements, note that multi-factor devices should integrate strict thresholds to address password guessing attacks, whereas verifiers might employ less stringent threshold mechanisms that warrant passwords that are used directly have higher strength requirements.

  • Reference

Department of Homeland Security

CISA falls under the DHS

Cybersecurity page

Agency Advice:

  • President Biden has made cybersecurity, a critical element of the Department of Homeland Security’s (DHS) mission, a top priority for the Biden-Harris Administration at all levels of government.

  • To advance the President’s commitment, and to reflect that enhancing the nation’s cybersecurity resilience is a top priority for DHS, Secretary Mayorkas issued a call for action dedicated to cybersecurity in his first month in office. This call for action focused on tackling the immediate threat of ransomware and on building a more robust and diverse workforce.

  • In March 2021, Secretary Mayorkas outlined his broader vision and a roadmap for the Department’s cybersecurity efforts in a virtual address hosted by RSA Conference, in partnership with Hampton University and the Girl Scouts of the USA.

  • After his presentation, the Secretary was joined by Judith Batty, Interim CEO of the Girls Scouts, for a fireside chat to discuss the unprecedented cybersecurity challenges currently facing the United States. Dr. Chutima Boonthum-Denecke from Hampton University’s Computer Science Department introduced the Secretary and facilitated a Q&A to close the program.

  • Reference

Federal Bureau of Investigation (FBI)

The Cyber Threat

Agency Advice:

  • Internet-enabled crimes and cyber intrusions are becoming increasingly sophisticated and preventing them requires each user of a connected device to be aware and on guard. 

  • Keep systems and software up to date and install a strong, reputable anti-virus program.

  • Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.

  • Create a strong and unique passphrase for each online account and change those passphrases regularly.

  • Set up multi-factor authentication on all accounts that allow it.

  • Examine the email address in all correspondence and scrutinize website URLs before responding to a message or visiting a site

  • Don’t click on anything in unsolicited emails or text messages.

  • Be cautious about the information you share in online profiles and social media accounts. Sharing things like pet names, schools, and family members can give scammers the hints they need to guess your passwords or the answers to your account security questions.

  • Don't send payments to unknown people or organizations that are seeking monetary support and urge immediate action.

  • Reference

Scams and safety on internet

Agency Advice:

  • Keep your firewall turned on

    A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.

  • Install or update your antivirus software

    Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

  • Install or update your antispyware technology

    Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.

  • Keep your operating system up to date

    Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.

  • Be careful what you download

    Carelessly downloading email attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.

  • Turn off your computer

    With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.

  • Reference

Federal Trade Commission (FTC)

Cybersecurity advice to protect your connected devices and accounts

Agency Advice:

  • Besides securing your devices, protect your accounts. Start with strong passwords and enable multi-factor authentication.

  • When it comes to passwords, longer is stronger: at least 12 characters. You could use a passphrase of random words to help you remember it — but avoid common words or phrases. If your username and password are leaked in a breach, having multi-factor authentication enabled will make it harder for a scammer to get into your account. For more, check out this password checklist.

  • Reference

Password checklist

Agency Advice:

  • Make sure your password is long and strong. That means at least 12 characters. Making a password longer is generally the easiest way to make it stronger. Consider using a passphrase of random words so that your password is more memorable, but avoid using common words or phrases. If the service you are using does not allow long passwords, you can make your password stronger by mixing uppercase and lowercase letters, numbers, and symbols.

  • Don’t reuse passwords you’ve used on other accounts. Use different passwords for different accounts. That way, if a hacker gets your password for one account, they can’t use it to get into your other accounts.

  • Use multi-factor authentication when it’s an option. Some accounts offer extra security by requiring something in addition to a password to log in to your account. This is called multi-factor authentication. The “something extra” you need to log in to your account fall into two categories:

    • Something you have — like a passcode you get via an authentication app or a security key.

    • Something you are — like a scan of your fingerprint, your retina, or your face.

  • Consider a password manager. Most people have trouble keeping track of all of their passwords. The longer and more complicated a password is, the stronger it is, but a longer password can also be more difficult to remember. Consider storing your passwords and security questions in a reputable password manager. To find a reputable password manager, search independent review sites, and talk to friends and family for ones that they use. Make sure to use a strong password to secure the information in your password manager.

  • Pick security questions only you know the answer to. If a site asks you to answer security questions, avoid providing answers that are available in public records or easily found online, like your zip code, birthplace, or your mother’s maiden name. And don’t use questions with a limited number of responses that attackers can easily guess — like the color of your first car. You can even use nonsense answers to make guessing more difficult — but if you do, make sure you can remember what you use.

  • Change passwords quickly if there’s a breach. If a company tells you there was a data breach where a hacker could have gotten your password, change the password you use with that company right away, and on any account that uses a similar password.

  • Reference

Department of Commerce

NIST falls under the Department of Commerce

Cybersecurity

Agency Advice:

Federal Communications Commission (FCC)

Cybersecurity and network reliability

Agency Advice:

  • The FCC’s responsibility is to ensure the reliability and resiliency of the Nation’s communications network and to promote public safety through communications. The FCC, because of its relationship with the nation’s communications network service providers, is particularly well positioned to work with industry to secure the networks upon which the Internet depends.

  • Over the years, the FCC has worked through its Federal Advisory Committee, the Communications Security, Reliability, and Interoperability Council – CSRIC – to develop voluntary industry wide best practices that promote reliable networks, including for 911 calling. CSRIC and its working groups are made up of industry leaders, academics, and innovators in communications, Federal partners, public safety entities, state and local government officials, and Internet registries.

  • CSRIC will release a series of recommendations in March 2012 to address the most pressing threats to our cyber security, and suggest frameworks for possible solutions. We believe the most pressing cyber security threats are botnets, domain name fraud, and Internet route hijacking.

  • Reference

Cybersecurity tip sheet for small businesses

  • Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

  • Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

  • Reference

Small Business Administration (SBA)

Best practices for preventing cyberattacks

Agency Advice: 

  • Employees and their work-related communications are a leading cause of data breaches for small businesses because they are direct pathways into your systems. Training employees on basic internet usage best practices can go a long way in preventing cyberattacks. 

    • Other training topics to cover include:

      • Spotting phishing emails

      • Using good internet browsing practices

      • Avoiding suspicious downloads

      • Enabling authentication tools (e.g., strong passwords, Multi-Factor Authentication, etc.)

      • Protecting sensitive vendor and customer information

  • Reference

 |

Summary

There are many steps you can take to stay safe online, but the simplest action with the most significant and immediate impact on your security is to use a password manager. Choose a cross-platform password manager with zero knowledge end-to-end encryption that can generate and store unlimited unique and strong passwords. You can get started with Bitwarden on a free account or opt for Premium for less than $10/year to get advanced features like 2FA and Emergency Access.

Additional Resources

Secure Your Business Data with End-to-End Encryption

Choose the right Bitwarden plan for your business and start your free 7-day trial today.

For Teams & Business
Unlimited Users
Upgrade anytime
$
3
per user/month
  • All Premium Features, Plus:
  • Unlimited Collections & Items
  • Directory Connector
  • API access
  • 24/7 Priority Tech Support
For Enterprise
Unlimited Users
Expand anytime
$
5
per user/month
  • All Teams Features, Plus:
  • Self-Hosting Deployment Option
  • SSO Authentication
  • Enterprise Policies
For Teams & Business
Free for Everyone
Every Wednesday at 12 pm ET
See a Live Demo
Join us to see Bitwarden in action.
Language
© 2023 Bitwarden, Inc.
TermsPrivacySitemap