Basic password hygiene best practices

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is funded by the United States’ Department of Commerce, and they regularly update recommended standards for proper password policies through their Digital Identity Guidelines. With a mountain of information provided, the following is a simple summary of password policy parameters which meet or exceed NIST recommended guidelines.

  • Longer passwords are better – According to NIST recommendations, passwords should contain at least eight characters and can be as long as 64 characters. The NIST also recommends using passphrases to encourage setting longer passwords. We recommend our clients leverage a minimum length of 12 characters to exceed the recommended minimum.
  • Enable complexity – A complex password uses different types of characters in unique ways to increase security – typically three of four factors – upper case letter, lower case letter, number, and special character. Used in combination with longer passwords, complexity makes the job of password cracking tools incredibly hard. In fact, complexity combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
  • Periodic password resets are required – At times, periodic resets set too frequently can become counter-productive as users end up setting up weaker passwords to help with remembering them. However, NIST recommends resetting passwords periodically. We recommend a password expiration policy set to a maximum of 90 days, but force changes every 30 days within our own environment.
  • Avoid common words – NIST recommends screening passwords against a dictionary of common passwords – either global words like “password” and “baseball”, but also client-specific information like the client’s name or the street address of their main office. While some of our clients leverage password screening, many do not and this practice is not widespread.
  • Limit the number of failed login attempts – NIST recommends at least 10 attempts before locking an account, but this recommendation is contingent upon leveraging more strict controls with other policy settings. The weaker the other policies are set, the lower the number of failed login attempts should be allowed.
  • Add Multi-Factor Authentication (MFA) – NIST recommends at least 2-factor authentication, but prefers the use of authenticator applications over the use of text-based SMS notifications. We find our clients typically only leverage MFA for remote access authentication, but recommend consideration of MFA even for local network authentication.
  • Most importantly, a user should use a unique password for every login credential. However, with the average user having to maintain and track up to 200 unique credentials, that can be a difficult practice to follow. However, a user should NEVER (ever, ever, ever… EVER, EVER, EVER!) use any password used on a public-facing web-site as the login credential for their business computer network. Make sure that your business login credentials are unique. That way, if an external third-party web site is breached and credentials are stolen, a user’s business login credentials don’t end up for sale on a dark web for malicious actors to leverage.

Questions about your password policy? Ask us questions – we’d be happy to review your current settings and make recommendations for hardening consistent with NIST best practices.