A7:2021 | Secure Passwords (3) | Cycubix Docs

NIST password standard

The NIST password standard (also known as the Special Publications (SP) 800-series) is a guideline that provides recommendations for implementing secure password systems.

Password rules

Here are some of the most important recommendations made by the most recent NIST standard:

  • no composition rules Do not request the user to, e.g., use at least one upper case letter and a special character on their password. Please give them the opportunity to, but do not force them!

  • no password hints If you wanted people to have a better chance at guessing your password, write it on a note attached to your screen.

  • no security questions Security questions, also known as knowledge-based authentication (KBA), are outdated. Asking a user, "What’s the name of your pet?" or something similar to check if it’s him is pretty insecure.

  • no unnecessary changing of passwords If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period.

  • minimum size of 8 characters A secure password nowadays should be at LEAST 8 characters long (up to 64). This is a minimum, not a maximum-minimum!

  • support all UNICODE characters It would help if you allowed all kinds of UNICODE characters in a password. This also includes emojis and whitespaces.

  • check the password against known bad choices

    • passwords obtained from previous breach corpuses

    • dictionary words

    • repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd')

    • context-specific words, such as the name of the service, the username, and derivatives thereof

Usability

Besides the recommendations above, the NIST standard also recommends increasing the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:

  • allow pasting into the password input Users should be able to use the "paste" functionality when entering a password. Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.

  • allow displaying the password Password inputs should have an option to display the entered password to assist the user in successfully entering a password.

  • offer a strength meter Add a strength meter on the password creation page to help the user choose a strong and secure password.

PreviousA7:2021 | Secure Passwords (2) | Cycubix DocsNextA7:2021 | Secure Passwords (4) | Cycubix Docs

Last updated