Top 5 NIST Password Guidelines

blue password image

                Authentication credentials are one of the most sought-after pieces of digital information that hackers wish to obtain. It takes a lot of time, dedication, and reconnaissance for most hackers to break into a system, network, or private application through means such as vulnerabilities and exploits. However, it can be done in seconds due to the usage of a weak password, or a password that’s been breached through any other means. A private system or network is only as strong as its weakest link, and often, that weakest link is due to users having poor passwords or password management. According to the 2021 Verizon Data Breach Investigations Report, 61 percent of system and network breaches were due to stolen password credentials – that’s a lot of hacks that could be prevented just by stronger password policies and guidelines. Even if your organization doesn’t have that strong of a password policy – what’s stopping you from implementing it yourself, both in your professional and personal life? 

                There is a lot of misleading, outdated, or outright counterproductive information on the internet regarding what the best practices regarding passwords should be. Luckily, we have the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, which is viewed as the gold standard when it comes to their security recommendations due to how researched and applicable, they are both to federal agencies and private businesses. More specifically, we have  NIST Special Publication 800-63 Revision 3 which contains dozens of pages regarding best practices for passwords and the safekeeping of digital identities. Unfortunately, the average person does not have the time to read such documentation just to help protect their digital life. Fortunately, we will sum up the juicy parts for you and give our recommendations to help you start taking part in better password security. 

Password Do's and Don'ts

Personally Identifiable Information

Humans are simple, we tend to remember simple things such as words in a dictionary, names of our loved ones, birthdays, anniversaries, our favorite cities, etc. These important facts in our lives tend to end up in our passwords, it’s something we can easily remember. If we need to have a password that’s 8 characters long and requires an uppercase letter, a number, and a symbol, why not do something we can remember? In my case, you could have an amazing dog Odin who was born May 15th, so why not have Odin0515! as a password – something many websites will state is a secure password, and it meets the requirements. Everything should be great then! Unfortunately, it isn’t. Many times, people will post about their loved ones on social media. Especially their dogs. All it takes is 1 happy birthday post to your pup on Facebook, and a highly motivated hacker will have your password in very little time. This can go for anything – your pets, your family, even your favorite things in life. The best thing to do is simply not use personally identifiable information in your passwords.

Length Over Complexity

It would be common to think that the more complex your password is, the harder it will be to ever get hacked. In the old days when hackers were manually guessing passwords, yes, this was true. However, in 2022, not so much. Some supercomputers can guess more than 100 billion passwords per second – granted, that’s a POWERFUL computer, however, it isn’t uncommon for a hacker to have a computer capable of guessing 100 million+ passwords per second. When it comes to these machines, complexity does not matter. When you have a mix of lower-case letters, upper-case, digits, and symbols, you end up with 92 combinations per character. With an 8-character long password, that’s a potential of 5,132,188,731,375,616 possible combinations. That sounds like a lot – but let’s consider that previous supercomputer example that is capable of guessing 100 billion passwords per second – it will complete every single combination possible within 14 hours and 15 minutes. Even a more modest computer will get it in a little over a year and a half, and that’s just a single computer working towards things. A highly motivated hacker will be more than willing to have several computers guessing someone’s password. 

What this tells us is that length is far more important than complexity. p@S$w0Rd will get cracked within that timeframe specified earlier, but let’s think of something longer and less complex. How about SecurePasswordsAreReallyGreat – with the 92 possible characters including numbers and symbols, and this being a password that is 29 characters, the password space to encompass all the possible combinations is astronomical. It’s 8.9093699540585002092 x 10^56 – we don’t need to do the math to see how long a supercomputer will take to crack that, let’s just say it’s an exceptionally long time. This isn’t even a hard password to remember, and yet we can even get more secure than that. What if we were to take 4 random English words, add a few symbols, and a number. Letters_T3stify_Ride_Leftovers – we’ve got ourselves a 30-digit, highly secure, easily memorable password. We have zero need to worry about this getting cracked during our lifetime. 

(Optional) Changing Passwords Frequently 

Let’s go off from our previous topic. We’ve created ourselves an amazing password that’s memorable and something we don’t have to worry about being cracked any time soon. Do you think we’re secure by just leaving that password the same for the lifetime of that account? Chances are high that yes, we can be secure. However, it certainly doesn’t hurt us to regularly rotate out our passwords, even if they’re still secure. We don’t even need to make things incredibly difficult for ourselves by choosing something entirely new, though we certainly could. A simple refresh of our previous password, Letters_T3stify_Ride_Leftovers to something such as Letters_Cauti0n_Plu$_Leftovers – we’ve got something entirely new, and we have the ease of mind knowing that we’re taking proper password security into account by consistently refreshing our security posture. Some people aim to change their passwords once every 30 days, which can be a bit much, others aim for a more modest 90 days. There is no right answer – if you aren’t sitting on the same password for an account for years, you’re Ah-okay. The only caveat is that if your password is found compromised in a breach you should immediately change your password to something VERY different to prevent a motivated attacker from guessing something like your old password. 

Multi-Factor Authentication 

We’ve established some great password techniques thus far; we’ve got some highly secure passwords in mind that are hard to crack. However, being hard to crack doesn’t mean being unable to be hacked. Just because a password could take several thousands of years to guess by a supercomputer doesn’t mean that’s how long it will take. What if there was that one amazing guess that got your password, then what? Well, the hacker is in, they’ve got everything. By having just our password to get into our account, we’ve got that one single factor of authentication – if someone has that password, a system will think they’re you. Except, that doesn’t need to be the case. Let’s go above and beyond that secure password and implement Multi-Factor Authentication. By enabling our accounts to authenticate us beyond that single password, whether it be confirming a numerical token on your phone, clicking a link within your email, or perhaps even biometric with your fingerprint, we’ve got additional security that ensures our accounts will not be breached. It’s one thing to go through the work of guessing your password, it’s an entirely new difficult scenario to have to breach into your email account, steal your phone, or attempt to duplicate your fingerprint. The more additive measures we add to keep our accounts secure, the better. 

Re-Using Passwords and Password Managers 

Unfortunately, the most secure password in the world means nothing if it’s being used for every single one of your accounts. We can highly trust our password, we can know that the chances of it being cracked are astronomically low, and we can have the ease of mind that our security posture is strong. However, can you have that belief for every single website you’ve ever created online? A candle that you bought from a mom-and-pop online store 8 years ago that’s since been abandoned and hasn’t done any software patching in years isn’t the pinnacle of web security. All it takes is one website breach to happen, big or small, for all that security to come crashing down if you’ve used the same password everywhere. 

Let’s be honest though, expecting someone to remember highly secure, individual passwords for dozens, if not hundreds of accounts are a tall order. Fortunately, this is where Password Managers come in. Password Managers such as BitWarden, LastPass, 1Password, and Dashlane not only handle our passwords for us but by using a Password Manager, we’re able to create unique and highly secure long-string passwords for every account that we have, and we don’t need to try to commit them to memory – our password manager will remember them for us. The only thing we need to do is remember our password for our password manager, again making sure it is highly secure as well as using any Multi-Factor Authentication of our choosing. 

Wrapping Up

By following all these tips, we’ve got the ease of mind knowing that our digital life has some added security. It takes a little extra time out of our day typing in a longer password or verifying our login attempts, but these cons are certainly worth the added benefits. It’s much better than having an account breached and all your other accounts being accessed one by one due to the same password being used. We will never be fully secure in the ever-changing internet world, but we can make the minor changes necessary to improve our odds of not being hacked.