End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts.
They may also choose relatively weak passwords that satisfy company password policies but can be easily guessed or brute-forced. Your users may also inadvertently use breached passwords for their corporate account password.
The National Institute of Standards and Technology (NIST) has a cybersecurity framework that helps organizations address common cybersecurity pitfalls in their environment, including weak, reused, and breached passwords. This post will take a closer look at the NIST password guidelines and see how you can effectively audit your password policies to ensure these meet the standards recommended by NIST.
NIST Password Guidelines and Best Practices
Specific guidance around passwords is addressed within the chapter titled Memorized Secret Verifiers. NIST has several recommendations in regards to passwords:
- Passwords should be no less than eight characters in length
- ASCII characters are acceptable along with Spaces
- If a service provider randomly chooses passwords, these must be at least six characters in length
- Passwords should be compared against a list of known commonly-used, expected, or compromised passwords.
What types of passwords are commonly-used, expected, or compromised?
- Previously breached passwords
- Dictionary words
- Characters that are sequential or repetitive
- Context-specific words (including username, business name, etc.)
NIST also recommends the following other password security mechanisms, including:
- Rate-limiting failed login attempts,
- Not forcing users to change their password after an arbitrary number of days,
- Forcing a password change if there is evidence of a compromise of the account password (i.e., password exposed in a breach),
- Guidance should be offered to users as to specific password policy requirements.