How NIST is Changing Password Creation in 2021

The National Institute of Standards and Technology (NIST) has issued certain requirements along with controls for digital user identities. Let’s have a quick look at some of the important NIST password guidelines and learn how businesses can ensure maximum security in 2021 and beyond.

Deependra Singh
Deependra Singh
July 22, 2021
5 min read

We’re living in an era where almost everything is just a few clicks away, and the internet is becoming the second home for all of us.

Whether it’s entertainment or essential purchasing, we’re catered to everything online in the digital world.

But with the increase in the use of the internet, the risk of security breach and identity thefts have augmented substantially.

Businesses are compromising sensitive user data and consumer identities that not only cause losses worth millions but eventually tarnish brand repute.

To cope with the increasing number of cyber frauds and data thefts, the National Institute of Standards and Technology (NIST) has issued certain requirements along with controls for digital user identities.

The NIST has dispensed several guidelines that not only ensure security to the user but eventually help enterprises secure their crucial business information.

These guidelines offer recommendations for users for creating strong passwords along with recommendations for vendors/verifiers that are handling passwords.

Let’s have a quick look at some of the most important NIST guidelines and the cybersecurity best practices to follow in 2021.

NIST Overview

Recognizing the national and economic security of the United States depends on the reliable functioning of critical infrastructure. The NIST Cybersecurity Framework is a thorough collaboration between industry and government, and consists of standards, guidelines, and practices to promote the protection of critical infrastructure.

The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

The NIST Cybersecurity Framework consists of several guiding standards:

  • NIST SP 800-53 (Revision 4)
  • NIST SP 800-171
  • The OMB Trusted Internet Connection (TIC) Initiative—FedRAMP Overlay (pilot)
  • The DoD Cloud Computing Security Requirements Guide (SRG)

Now, let’s have a quick look at some of the password guidelines issued by NIST.

Processing and Password Length

As per the NIST latest guidelines, the length of a password is a crucial security aspect, and all user-created passwords must be at least 8 characters in length.

Moreover, the passwords generated by machines must be a minimum of 6 characters in length. Apart from this, the maximum character length must be 64 characters.

Now, the essential aspect for enterprises is that during the verification process, the verifiers shouldn’t truncate passwords while processing. Instead, the passwords should be adequately hashed and must be salted.

This reinforces the security of credentials. Also, the user should be allowed a minimum of 10 attempts to enter their password before locking their profile.

Also Read: Cybersecurity Best Practices for Businesses in 2021

No More Hints

NIST has advised the vendors and verifiers to dismiss the use of password hints that were earlier offered to users for creating more complex passwords.

Since these hints can allow attackers to guess the passwords, these hints shouldn’t be used in any form to ensure the highest level of security for users and service providers.

Moreover, KBA (Knowledge-based Authentication), which was earlier a part of the authentication process that includes questions like- “Where you were born?” were asked to prove identity.

Two-Factor Authentication and Password Managers

The users must be provided with the ability to paste passwords into password fields as users incline towards the use of password managers for a seamless authentication experience.

Earlier, the verifiers didn’t allow the users to paste a password just because of security concerns. But now, service providers need to revoke the same for enhanced user experience.

Apart from this, the use of two-factor authentication must be emphasized as SMS isn’t considered a secure option.

The verifiers need to rely on strong multi-factor authentication methods that provide authentication using secure one-time links or must use Google Authenticator.

Hashing

Password hashing is crucial in today’s era as it’s no longer safe to store passwords in plain text formats, which can be easily exploited.

Password hashing is defined as the method to one-way transform a password that turns the password into another string called hashed password. This means that the password can’t be reversed to its original form once hashed.

NIST recommends the use of password hashing algorithms while storing and retrieving passwords. The identity providers must rely on a secure password management mechanism that ensures hashing of passwords of the users within a network for enhanced security.

LoginRadius The Ultimate Solution Covering a Larger Footprint of the Overall NIST Cybersecurity Framework

The NIST Cybersecurity Framework is worth adopting solely for its stated goal of improving risk-based security. But it also delivers ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.

The NIST Cybersecurity Framework is NOT just for “government applications.” It represents a state-of-the-art approach to security and compliance.

DS-passwordless-login

Here’s what enterprises get with the LoginRadius consumer identity and access management (CIAM) solution:

  • Compliance: LoginRadius is NIST CSF audited and certified and offers CCPA and GDPR compliances.
  • Multi-Factor Authentication: LoginRadius offers stringent authentication backed by multi-factor authentication (MFA).
  • Risk-based Authentication: LoginRadius CIAM provides adaptive MFA, i.e., risk-based authentication, which adds another stringent layer of authentication whenever something suspicious is detected during a login attempt.
  • Quick Insights: Get valuable insights regarding user behavior to create the best marketing strategy and to provide different offers to users.
  • Single Sign-On (SSO): Enhance user experience with LoginRadius Single Sign-On that helps users to stay authenticated while switching applications or programs.
  • Passwordless Login: LoginRadius’ Passwordless Login helps enterprises build the next level of user authentication experience that improves engagement and enhances conversions.
  • Social Login: LoginRadius CIAM helps your users to leverage their social media to quickly authenticate within a couple of seconds for a seamless login experience.

Final Thoughts

Enterprises embarking on a journey to enhance business growth while matching the pace with the best cybersecurity hygiene should consider NIST password guidelines while making password policies for users.

When it comes to creating a flawless login experience backed by security, LoginRadius leaves no stone unturned in delivering the finest experience.

LoginRadius is self-attested to the NIST Cybersecurity Framework as part of its internal infosec program and aligns with the NIST SP 800-53 component, leveraging the CSA CCM, which covers a broader footprint of the overall NIST cybersecurity framework.

Need help with NIST? Reach us for quick guidance today.

book-a-free-demo-loginradius

Deependra Singh

Deependra Singh

Deependra Singh - over 10+ years experience as a digital marketer and currently working and specializes in Search Engine Optimization for LoginRadius. Additionally, he has experience in digital marketing strategy, SEO techniques, strategic planning, lead generation program, execution, and promotions.

View Profile


Consumer Digital Identity Trend Report 2020

Optimize Your Conversion Funnel With Core Customer Behavior Analysis

Download Now