Get Started Today!  (415) 295-4898

croom new

415 IT Blog

Password Best Practices from the National Institute of Standards and Technology

Password Best Practices from the National Institute of Standards and Technology

Passwords are probably the most important part of keeping accounts secure. That’s why it is so important to follow industry best practices when creating them. Today, we’ll take a look at the standards outlined by the National Institute of Standards and Technology (NIST) in creating the best and most secure passwords.

What Is NIST?

For years, NIST has been the predominant organization in the establishment of password creation standards. They continuously change their advised practices to meet with the current cybersecurity demands. They recently updated their guidelines so we thought we would go over what strategies they suggest, to give you an idea of what makes a secure password. 

New Guidelines

Many corporations are currently using the NIST guidelines and all Federal agencies are expected to utilize them. Let’s go through their newest password guidelines step by step. 

#1 - Longer Passwords are Better than More Complicated Ones

For years, it was preached that the more complicated the password, the more secure the account. Today’s guidelines refute that notion. NIST suggests that the longer the password, the harder it is to decrypt. What’s more, they suggest that organizations that require new passwords meet a certain criteria of complexity (letters, symbols, changes of case) actually make passwords less secure. 

The reasoning behind this is two-fold. First, most users, in an attempt to complicate their passwords will either make them too complicated (and forget them) or they will take the cursory step of adding a one or an exclamation point to the end of a password, which doesn’t complicate the password as much, if at all. Secondly, the more complex a user makes a password, the more apt they are to use the same password for multiple accounts, which of course, is not a great idea.

#2 - Get Rid of the Resets

Many organizations like to have their staff reset their password every month or few months. This strategy is designed to give them the peace of mind that if a password were compromised that the replacement password would lock unauthorized users out after a defined set of time. What NIST suggests is that it actually works against your authentication security. 

The reason for this is that if people have to set passwords up every few weeks or months, they will take less time and care on creating a password that will work to keep unwanted people out of the business’ network. Moreover, when people do change their password, they typically keep a pattern to help them remember them. If a previous password has been compromised, there is a pretty good chance that the next password will be similar, giving the attacker a solid chance of guessing it quickly. 

#3 - Don’t Hurt Security by Eliminating Ease of Use

One fallacy many network administrators have is that if they remove ease of use options like showing a password while a user types it or allowing for copy and pasting in the password box that it is more likely that the password will be compromised. In fact, the opposite is true. Giving people options that make it easier for them to properly authenticate works to keep unauthorized users out of an account. 

#4 - Stop Using Password Hints

One popular way systems were set up was to allow them to answer questions to get into an account. This very system is a reason why many organizations have been infiltrated. People share more today than ever before and if all a hacker needs to do is know a little personal information about a person to gain access to an account, they can come across that information online; often for free.

#5 - Limit Password Attempts

If you lock users out after numerous attempts of entering the wrong credentials, you are doing yourself a service. Most times people will remember a password, and if they don’t they typically have it stored somewhere. Locking users out of an account, at least for a short period of time is a good deterrent from hackers that use substitution codes to try and guess a user’s credentials. 

#6 - Use Multi-factor Authentication

At 415 IT, we urge our clients to use multi-factor or two-factor authentication on every account that allows them to. According to NIST they want users to be able to demonstrate at least two of three authentication measures before a successful login. They are:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

It stands to reason that if you can provide two out of three of those criteria, that you belong accessing the system or data that is password protected. 

Security has to be a priority for your business, and password creation has to be right up there with the skills everyone should have. If you would like to talk to one of our IT experts about password management and how we can help your business improve its authentication security, give us a call today at (415) 295-4898.

What are the Most Useful Technologies for New Comp...
Hackers Spark Major Gas Crisis Throughout the Sout...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, June 16 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to

Mobile? Grab this Article

QR Code

Tag Cloud

Security Tip of the Week Technology Productivity Best Practices Business Computing IT Support Data Network Security Data Backup Privacy Cloud Hosted Solutions Internet IT Services Efficiency Software Data Recovery Business Email Managed IT Services Small Business Hackers User Tips Innovation Google Mobile Device Phishing Malware Communication Business Management Collaboration Hardware VoIp Outsourced IT Cybersecurity Workplace Tips Computer Upgrade Smartphone Backup Cloud Computing Android Microsoft Tech Term Managed Service Mobile Devices Quick Tips Business Continuity Windows 10 Disaster Recovery Communications Covid-19 Smartphones Passwords Ransomware Paperless Office Remote Work Users Saving Money Managed Service Provider Network Encryption Browser Windows Remote Monitoring Data Management Artificial Intelligence Office 365 BDR Business Technology Server Wi-Fi Internet of Things Managed IT Compliance Social Media Help Desk Healthcare Vulnerability Holiday Document Management Government Save Money Microsoft Office Windows 7 Managed IT services Managed Services Data Security Automation Applications Virtualization Blockchain Health Employer-Employee Relationship Scam Remote Miscellaneous Information Laptops Chrome Facebook Office Training Tip of the week BYOD Project Management Vendor Management Gadgets Mobile Office Infrastructure Wireless Avoiding Downtime Two-factor Authentication Processor Redundancy Antivirus Meetings Analytics Bandwidth Machine Learning OneDrive Mobility Employees Website Employee-Employer Relationship Patch Management Company Culture WiFi IT Management Password Apps Data Loss IoT Software as a Service Net Neutrality Customer Relationship Management Regulations Maintenance Hard Drive RMM VPN Proactive Networking Router Storage Time Management Remote Worker HIPAA Files Access Control Information Technology Virtual Private Network Data Storage Flexibility Professional Services Mobile Security Electronic Health Records Images 101 Unified Communications Mobile Social Network Instant Messaging Word Recycling Consulting Downtime Data Breach Server Management Vendor Gmail The Internet of Things Cooperation Big Data Customer Service Risk Management Managed Services Provider Mobile Device Management Smart Devices Money Assessment Current Events Remote Workers Alert Holidays Network Management Co-Managed IT Management File Sharing Conferencing Consultation Tablet Dark Web Augmented Reality Internet Exlporer File Management Spam Smart Technology Authentication Payment Cards Search Voice over Internet Protocol Monitoring Computing Bring Your Own Device Display Utility Computing Financial Free Resource Remote Monitoring and Management Unified Threat Management Telephone Remote Computing Operating System G Suite Private Cloud Samsung Data Warehousing Tech Support IT Assessment Media How To Test Technology Tips IT Consulting Servers Procurement Distributed Denial of Service SharePoint Database Management Smart Tech Credit Cards WPA3 Legislation Shared resources Going Green Budget Mail Merge Specifications User Error Bluetooth 5G Mobile VoIP Development End of Support Superfish Recovery Settings Personal Information Gamification Motherboard Chromebook CRM Bookmarks ROI Operations Virtual Assistant Bitcoin IT Technicians Cost Management Digitize Ergonomics Digital Payment Hotspot Manufacturing Cyberattacks Social Managed IT Service Downloads GDPR Connectivity Computers Customer Relationships Fleet Tracking Zero-Day Threat Batteries Address Black Friday Wireless Internet Cookies Cables Windows Server 2008 Gifts Transportation Active Directory Migration eWaste Vulnerabilities Content Filtering Favorites Wasting Time Shadow IT Vendors Mouse Language Websites Read Only Security Cameras Break Fix Innovations Asset Tracking Backup and Disaster Recovery Techology CIO applications Managing Stress Tech Terms Cyber Monday Staff Employer/Employee Relationships Apple Nanotechnology Wires Hacker MSP Finance Permissions Windows Server Chatbots Outsource IT Point of Sale Hard Disk Drives Sensors Mobile Computing Microsoft Excel Database Mirgation Outsourcing Analysis Technology Laws Computing Infrastructure SaaS Peripheral Printing Emergency Multi-Factor Security Notes Wearable Technology Star Wars IT YouTube Human Error Outlook Disaster Resistance Enterprise Content Management E-Commerce Theft Printer Touchscreen Hacking Proactive Maintenance Solid State Drive App Optimization CES Google Calendar Fraud User Management Identity Theft Enterprise Resource Planning Laptop Solid State Drives Geography Banking Projects Cache Video Conferencing 2FA Electronic Medical Records Unified Threat Management Alerts Social Networking PCI DSS Virtual Reality PowerPoint Business Telephone Videos OneNote Permission Shortcut Travel Proactive IT Heating/Cooling Value of Managed Services Features Firewall Trending Cybercrime Cyber security Screen Reader Virtual Machines Authorization Teamwork Identity Remote Working Licensing Statistics Options Modem High-Speed Internet Reviews Politics Lenovo Return on Investment Biometric Comparison Regulation Marketing Twitter Education Printers CEO Students Daniel Stevens

Latest Blog

The first half of this year has seen its fair share of ups and downs, especially on a global scale. With a global pandemic still taking the world by storm, it’s despicable that hackers would take advantage of the opportunity to make a quick buck using phishing tactics. Yet, ...

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...