National Institute of Standards and Technology (NIST) Secure Password Guidelines
The National Institute of Standards and Technology, otherwise known as NIST, is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST was created to promote innovation and industrial competitiveness in certain industries such as information technology, nanoscale science and technology, and engineering. NIST has been named to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems by the American AI Initiative. In June of 2017, NIST published guidelines for ideal requirements for protecting one’s digital identity.
Characteristics of Secure and Strong Passwords
According to NIST’s secure password guidelines, there are certain password factors that are recommended for better security. Some of these guidelines are:
- Minimum eight characters with a suggested maximum of 64 characters
- Ability to use special characters (e.g.?&!@)
- Restriction of repetitive or sequential characters (e.g. abcde or 1111)
- Restriction of context specific phrases (e.g. email or username)
- Restriction of commonly used passwords or passwords obtained from previous breach corpuses
The restriction of various password phrases is important since predictable passwords are likely to be guessed by hackers. Such passwords and phrases are compared against a black list of unacceptable passwords and denied if they match up to those predefined conditions. A black list usually consists of simple dictionary words, previous passwords, and specific words and phrases that tie to the organization or service.
Random Characters Do Not Equal Strong Passwords
NIST suggests strong passwords are something unique that one will remember but someone else cannot guess. Contrary to past popular belief, passwords with mixed upper and lower case letters, number and special characters are not suggested anymore but rather having complex, memorable phrases such as “house kangaroo 28 card ticket” where the phrase itself does not make sense as a sentence but can be pictured in your mind.
In addition to strong passwords, controls surrounding passwords are equally important. Even though the new guidelines rely less on length and complexity, lockout after repeated failed attempts should be set in order to prevent numerous efforts that could be signs of a hacking attempt. Another control should be password history restriction that do not let personnel use the same password as any of their previous passwords because those passwords may have been compromised.
For more information about secure password guidelines, check out the NIST website focused on information technology publications. To learn more about our risk consulting services, contact Katelyn.Crowley@freedmaxick.com, connect with me here, or call 716.362.6281.