NIST Password Guidelines


Complete control over your company.

Security is a top priority for any managed services provider (MSP), but managing hundreds of passwords across an array of customers is no easy task. To protect their customers’ data, MSPs work hard to roll out security strategies—but are they effective? 

Piecemeal security strategies are not only ineffective—they’re also risky. Ad hoc strategies leave room for errors that could put customers’ data in jeopardy. This is where comprehensive information security frameworks and guidelines from the National Institute of Standards and Technology (NIST) come into play. 

About Company

What are NIST guidelines?

NIST guidelines are designed to help federal agencies meet regulatory compliance requirements like FISMAHIPAA, and SOX. But before we dig into NIST password standards, here’s a brief overview of NIST and why its standards and guidelines are so highly regarded. 

Founded in 1901 as the Bureau of Standards, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. While the organization develops guidelines and measures for a host of industries, it has a long-standing history of publishing best practices for information security. The NIST Cybersecurity Framework (CSF) comprises guidelines based on research NIST gathers from a diverse array of security organizations and publications. 

NIST guidelines have become so well-respected, federal agencies are no longer the only ones turning to them for support. Many private sector organizations have also adopted these comprehensive, customizable, and credible guidelines to remain compliant and keep their entire infrastructure secure. Two of the most popular NIST guidelines for IT professionals are the NIST Cybersecurity Framework and the NIST SP 800-63, which is part of the Special Publication 800-series. 

What is the NIST cybersecurity framework?

The NIST Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity, serves as an extensive set of guidelines detailing how organizations can keep cybercriminals at bay. The CSF is a 55-page document divided into five distinct categories: identify, protect, detect, respond, and recover. While it’s not a complete framework, many MSPs turn to it when developing their customers’ internal information security frameworks—or their own.

What are the NIST Password Standards?

The best practices outlined in the NIST SP 800-63 are the latest NIST password guidelines to enter the industry. Previously modified in 2017, today’s NIST password standards flip the script on many of the organization’s historic password recommendations—earning applause from IT professionals across the country. Here are some of the most important changes for MSPs:

  • The more the merrier: The new NIST password guidelines suggest an eight-character minimum when the password is set by a human, and a six-character minimum when it’s set by an automated system or service. They also recommend encouraging users to create lengthy passwords with a maximum length of 64 characters or higher. All applications must permit any printable characters listed within the American Standard Code for Information Interchange, including spaces, and should even accept UNICODE characters (like emojis). 
  • Remove the reset: For years, most MSPs have encouraged their customers to put password reset policies in place, requiring employees to change their passwords every few months or so. According to NIST, this should no longer be the case. The organization explains the reset periods have proven more detrimental than constructive. As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones. 
  • Complexity isn’t king: How often have you created a new account, for a new application, online store, or digital news outlet, and encountered the prompt, “your password must contain one lowercase letter, one uppercase letter, one number, and one symbol”? For years, this type of configuration was the norm. But NIST now explains—much like the new reset recommendation—overly complex passwords can lead to poor password behavior. Users who forget their complicated passwords tend to end up replacing them with new, weaker ones. 
  • Make it a user-friendly affair: The “show password while typing” is a rare option on many login sites. NIST suggests changing this, allowing more users to view their passwords as they enter them. Without this option, users are more inclined to choose shorter passwords that are easier to enter correctly. Shorter passwords are less secure, so any benefits gained from these visibility blocks are counteracted by weaker passwords. 

In the same vein, NIST also suggests foregoing settings that block users from pasting passwords. Users who are allowed to copy and paste their passwords are more likely to create and store stronger, lengthier passwords within password managers as compared to those who are forced to type out their password every single time. 

  • Lose the clues: Some accounts will allow users to access a personal hint or provide an answer to a pre-selected question, like “what was the name of your first pet?” when they forget their credentials. But while knowledge-based authentication clues can save users from the hassle of creating a new password, they are also risky. Personal data abounds in today’s digital era, making it easier than ever for hackers to decode hint prompts and breach systems. So while these clues may save time, foregoing these options is in everyone’s best interest. 
  • Limit the attempts: Enabling an unlimited number of password attempts may temporarily help users who have forgotten their passwords, but they end up doing more harm than good. The latest NIST password standards recommend providing users with a maximum of 10 login attempts before they are turned away—enough to aid a forgetful user, but not enough to assist brute-force attackers. 
  • A hands-free approach: Driving laws aren’t the only regulations cracking down on texting. The NIST two-factor authentication (2FA) policy states that, while 2FA is still important, SMS texting services should not be a part of the process. SMS delivery isn’t entirely secure, providing advanced cybercriminals with an opportunity to insert malware into the system. This malware can redirect text messages and facilitate attacks against the mobile phone network—which is why SMS texting should be avoided entirely. 

Why are NIST password standards important?

Organizations large and small turn to NIST password guidelines when developing their information security framework—the robust plan outlining the security policies and procedures employees must adhere to. These frameworks play a pivotal role in protecting MSPs and their customers from the increasingly prevalent threat of cybercriminals. The most common—and the most destructive—password-based attacks include: 

  • Phishing attacks: While phishing attacks can take many forms, they often consist of a cybercriminal simply asking for a user’s login ID and password. This “ask” is typically disguised as a legitimate email request from a well-known service provider or vendor. Users who open the email are directed to a landing page created by the attacker and prompted to enter their credentials. If they are unaware the email request originated from a bad actor, they may provide the attacker with the keys to their personal data. According to a new report from Proofpoint, phishing attacks skyrocketed in 2018, up 70% from 2017. When successful, these attacks result in lost productivity, reputation damage, and financial repercussions. It’s important for MSPs to provide their customers (and employees) with insight and security training on how best to avoid these attacks. As a further precaution, MSPs should also limit password access through role-based permissions and multifactor authentication (MFA)
  • Brute force attacks: Brute force attacks take little skill to perform, making them a favorite among inexperienced hackers. During a brute force attack, hackers rely on computer programs that assault a user’s login portal with tens, hundreds, and even thousands of requests per minute. These computer-driven programs start by guessing passwords with simple constructions, then escalate to more complex password attempts. This surprisingly effective attack is made even more effective when users implement a weak password or (worse) rely on default usernames and passwords. NIST password guidelines help MSPs keep these attacks at bay by requiring employees to develop one strong password—preferably a passphrase—that thwart attackers attempts. 
  • Credential stuffing: A credential stuffing attack is deployed by hackers who have gained access to at least one of the users' current login credentials, often via a list of stolen usernames and passwords shared on the dark web. This attack is like a brute force attack, but current login credentials often prove to be a much more relevant starting point. Attackers use this list to construct various credential combinations to gain access to various accounts. This method proves highly effective because far too many users fail to develop strong, distinct password variations—for example, relying on PumpkinPie!2 for one account and PumpkinPie!3 for another. MSPs who implement NIST password standards help prevent their customers and employees from succumbing to these all-too common pitfalls. 
  • Dictionary attack: This attack method relies on users who create short passwords containing popular words, thus earning the name “Dictionary Attack.” This method is straightforward yet highly effective, and falls within the brute force family. According to a report from eSentire, brute force and dictionary attempts were up 400% in 2017. So while the word “sunshine” might be easy for a user to remember, it’s also easy for a hacker to guess. It’s important for MSPs to advise their customers’ and employees to stay away from simple word choices and opt for unique passphrases. 

Putting NIST password management into practice

Explaining the prevalence and potential damage of the attacks outlined above can provide your customers with the wakeup call they need to take password policies seriously. NIST standards were developed for a reason—they work. Leaders who fail to remove default credential settings from their employees’ accounts are missing an opportunity to educate them on the importance of unique passphrase construction—and putting their businesses in jeopardy as a result. But if detailing the facts and figures doesn’t work, this list of the most commonly used weak passwords in 2018 should at least provide some guidelines as to what to avoid:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou
  11. princess
  12. admin
  13. welcome
  14. 666666
  15. abc123
  16. football
  17. 123123
  18. monkey
  19. 654321
  20. !@#$%^&*

Customers and employees who see some variation of their own password on this list will hopefully be startled into action. But as an MSP, it’s important you talk the talk and walk the walk by putting NIST standards into practice within your organization. Following these guidelines and leveraging cloud-based password management tools will help ensure your customers’ data is safe and secure, forcing hackers to turn elsewhere. 


For more information on NIST guidelines and best practices read through our related blog articles .