NIST Password Policy Guidelines

Passwords are the most widely used form of authentication across the globe and serve as the first line of defense to critical systems, applications, and data. In the past decade, however, they have attracted the ire of IT security experts for their ineffectiveness to stop hackers.

According to the 2018 Credential Spill Report, 2.3 billion credentials were stolen in 2017. To safeguard passwords from attacks, the National Institute of Standards and Technology (NIST) publishes guidelines that cover the security requirements of passwords in detail. Though intended for federal agencies, these guidelines can help all types of organizations implement strong password policies without affecting the end-user experience.

The recently published NIST Special Publication 800-63B report defines the standards for authentication and identity life cycle management. Section 5.1.1 of this report covers the guidelines related to password security and talks about what can be done to ensure optimal security.

NIST password guidelines: The dos and don’ts

What you should do:

  • Require longer passwords (up to 64 characters); password length should be set at a minimum of 8 characters.

  • Permit the usage of printable ASCII characters, Unicode characters, and spaces.

  • Blacklist commonly used words, dictionary words, and breached passwords, such as password1, qwerty123, etc.

  • Restrict the use of repetitive or sequential characters, such as aaaa1234, 123456, etc.

  • Offer guidance, such as a password strength meter, to help users choose a strong password.

  • Enforce account lockouts after a certain number of failed authentication attempts.

  • Permit the usage of the paste functionality while entering passwords.

  • Enforce two-factor authentication (2FA), which adds an additional layer of authentication in addition to passwords.

What you should not do:

  • Enable password complexity requirements, i.e, requiring a password to have a certain number of uppercase character, lowercase character, special character, and digits.

  • Enable password expiration.

  • Use security questions that involve personal information of the user.

  • Use hints to help users remember their passwords.

Some of these guidelines are vastly different from what have been traditionally considered password security best practices. For example, the NIST recommends that password complexity requirements, which have been regarded as one of the most important settings to ensure stronger passwords, be disabled.

According to NIST, when complexity rules are enforced, users respond in a predictable manner and choose common passwords, such as password1!, or write them down somewhere. Password expiration, another setting considered to be a security best practice, has also been advised against in these guidelines. Microsoft, too, has recently announced that the password expiration settings in Windows will be phased out in the near feature.

Enforcing NIST guidelines in Active Directory (AD)

For most organizations, AD serves as the identity store where users are authenticated before they’re allowed to access network resources. Unfortunately, implementing NIST guidelines using the domain password policy settings in AD is not possible, as it lacks many of the capabilities recommended by the NIST. For example, there’s no way to blacklist dictionary words or display a password strength meter to help users choose a strong password.

How ADSelfService Plus can help with NIST compliance

ManageEngine ADSelfService Plus is an integrated Active Directory self-service password management and single sign-on solution. The Password Policy Enforcer feature in ADSelfService Plus supports advanced password policy settings including dictionary rule, pattern checker, an option to enforce the use of Unicode characters, an option to restrict the use of repetitive characters, and more.

You can configure a file containing a list of all the leaked passwords in ADSelfService Plus, and prevent users from using those passwords. The solution also displays a password strength meter when users change or reset their domain password using its self-service portal.

ADSelfService Plus Dictionary Rule Settings

Fig 1. Password policy settings available in ADSelfService Plus

Additionally, you can create multiple password policies with different levels of complexities, and apply them granularly based on the OUs and groups in AD. This way, you can ensure that users with higher privileges use strong passwords, while other users have a relatively lenient password complexity to abide by. ADSelfService Plus also supports 2FA for Windows (both local and remote desktop logons) and cloud applications through single sign-on.

The cyberthreat landscape is continuously evolving, so even NIST guidelines can’t be considered the be-all and end-all solution. Although these guidelines provide a basic starting point, you should consider the security requirements of your business, IT compliance laws (for example, PCI DSS has its own set of password guidelines), and other factors before devising your password policies.

Most importantly, it’s time to jump on the 2FA bandwagon and enable it for all systems and applications in your organization. Whatever your requirements are, a tool like ADSelfService Plus can help you make the transition towards better security. Get started right away by downloading a free, 30-day trial of ADSelfService Plus.