NIST Password Guidelines 2021. Password Policy Best Practices

NIST Password Guidelines


A recent survey has shown that two-thirds of companies don’t change passwords. The reasoning behind this statistic is even more worrying, as over half of employees avoid doing so because they worry about forgetting their new passwords, think that this practice is annoying, or simply don’t see the point in doing so.

Healthy and robust password management policies are essential. Both companies and employees need to understand the importance of implementing proper password practices. The National Institute of Standards and Technology (NIST) provides password guidelines that are regarded as the gold standard for general privacy and data security compliance in the US.

At the start of this year, officials from NIST teased potential changes to their security recommendations. With that in mind, we want to take a look at the current NIST password guidelines for 2021 to help you recognize the best password practices to protect against current cybersecurity threats.

NIST Password Guidelines

Since 2014, the National Institute of Standards and Technology has issued guidelines, recommendations, and controls for identity authentication, including optimal password policy practices.

NIST Password Guidelines

These guidelines have evolved over the years, as there have been several revisions, most notably in 2017 and 2019. The NIST password guidelines cover crucial practices for creating and managing passwords and requirements for the validation of these passwords.

The main goal of the NIST password guidelines is to create strong password security for users and businesses and strictly control privileged access. These guidelines allow organizations and companies to better protect themselves against credential stuffing, brute force attacks, and other intrusion attempts. With all of that in mind, let’s first take a look at the outdated password recommendations and then move to the latest NIST guidelines for passwords for 2021.

Outdated Password Recommendations

Most companies apply outdated password practices, based on a set of fundamental criteria. These criteria generally include three main password security guideline:

  • Forcing regular password changes
  • Requiring that each new password is unique and hasn’t been used before in any form
  • Making sure that each password is complex and consists of alphabetic (lowercase and uppercase) and numeric characters, and other special symbols.

These guidelines are widely accepted by many businesses and have been used for decades. While there’s nothing inherently wrong with the above-listed policies, they’re not sophisticated enough to support modern security requirements.

The fact that around 57% of people still employ these outdated practices means that the door for phishing and malware attacks is still very much open for attackers. We’ve grown accustomed to the outdated recommendations and need to apply new password management practices to ensure maximum security. This brings us to the next crucial topic.

Updated Password Recommendations

NIST has published a revised set of guidelines that cover the recommended security practices that best apply to today’s environment. This topic requires an entire article of its own, so we won’t go into all of the tiny details. That said, we want to take a close look at the latest password recommendations pertaining to the existing security practices:

Alphanumeric Characters

NIST Password Guidelines

The alphanumeric password system seems like it’s been around since the passwords themselves. Combining lowercase and uppercase letters with numbers and special characters to make a password “stronger” is a practice nearly every security system employs nowadays.

However, the NIST password guidelines state that this system doesn’t necessarily make for more robust and more secure passwords.

The new NIST password guidelines emphasize a more dynamic system, in which the users would craft their passwords by comparing their new passwords with weak passwords and those that led to leaks.

Password Length

The current practice is that passwords should be around 8 to 10 characters. This is one of the essential aspects that need change, as NIST password guidelines recommend that passwords of at least 64 characters should be allowed.

Having such a lengthy password might seem like an inconvenience. However, remembering a unique sentence as a password is much easier than using a gibberish one comprised of random numbers and characters.

Password Hints

“What was the name of your childhood pet?” and “The name of your first teacher” are everyday password hints users employ when they need to recover a password they’ve forgotten. However, the quality of these password hints often leaves a lot to be desired, especially in today’s over-exposed social media era. 

The new NIST password guidelines advise that users should stray away from password hints. Instead, they should utilize multi-factor authentication as a more advanced and more secure method of password security.

You can set the MFA to identify you based on your fingerprint, digital certificate, hardware token, location, time, and much more. This is a security step that’s much harder to hack and significantly lowers the risk of getting your data leaked.

Forced Password Changes

The new NIST password guidelines diminish the value of scheduled forced password changes. They support this stance by arguing that the user’s weakness to look for password patterns, such as changing only a few numbers or switching characters, weakens the password and makes the change not as significant as it should be. Plus, if the hackers already have the user’s information and the user only makes slight tweaks to the existing password, the forced password change is pointless.

Copy-Pasting Passwords

Surprisingly, this is something NIST has completely changed its perspective of since the last revision. The institute was previously entirely against enabling copy/paste features when typing passwords. However, the new guidelines aim to reverse this recommendation.

The reasoning behind this change of recommendation is that having to copy and paste complex passwords will only encourage the employees not to use simpler passwords but to move to password managers. These password managers would then allow them to randomly generate and store passwords for convenient use without compromising their security.

The importance of Password Managers And 2FA

The best way to ensure maximum privacy and security of your passwords is to implement two practices: employing a password manager and using 2-factor authentication. When it comes to the latter, everyone agrees that using 2-factor authentication adds a very strong security layer to your information. All experts agree on is that passwordless logins are the way of the future. It’s only a matter of time when companies will adopt this method of authentication.

However, when it comes to password managers, this is where experts come to a crossroads. For some, password managers are a necessary and very convenient tool for ensuring privacy and security. For others, they are just a tool for masking the general issue by storing the passwords behind another password.

This is because it’s hard to find NIST password generators that meet all of the standards and requirements. The best you can do is find a reliable and secure password generator and manager to protect your valuable data from falling into the wrong hands.

For this reason, using a compact all-in-one Bluetooth-enabled keys such as the Hideez Key 3 or Hideez Key 4 is a simple and elegant solution for your password management needs. It allows you to store up to 2,000 login credentials and passwords in a hardware vault. Moreover, it serves as a multifunctional security key that helps you generate unique and robust passwords and one-time passwords for multi-factor authentication.

The best part is that such password management solution can be implemented not only for personal needs but for enterprise use as well, offering many more valuable features that would be a perfect fit for multi-user environment. To find out more, please contact us or request a free personalized pilot:

Related Posts