What Are NIST Password Standards?

The federal government requires its own agencies to follow specific cybersecurity standards. The division of the federal government that created these standards is called The National Institute for Standards and Technology, or NIST. NIST details its standards in online publications, and encourages private entities to voluntarily adopt these security standards. NIST has developed guidelines for password selection and use. NIST SP 800-63B sets forth these standards. The NIST password standards are discussed below.

What are the NIST Password Standards: The Advantages of NIST

The NIST password standards are organized around a governing principle: an organization should implement unique passwords for each employee. Private businesses are not legally required to follow the guidelines on how to implement a unique password. However, use of the NIST password standards has become popular among large healthcare organizations. In addition, a password that is NIST-compliant, is generally compliant with the HIPAA Security Rule.

What are the NIST Password Standards: Rules for Unique Passwords

The latest National Institute of Standards and Technology (NIST) guidelines (set forth in NIST SP 800-63B) contain the following password requirements:

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

• Passwords must be a minimum of eight (8) characters in length, and a maximum length of at least 64 characters.
• Passwords may contain special characters (i.e., “!”, “@”), but use of special characters is not required. Indeed, some Internet services reject passwords with special characters. 
• Passwords may contain spaces, but use of passwords with spaces is not required. Again, some services reject or prohibit passwords with spaces. 
• Passwords should not contain the following:
  • Sequential and repetitive characters (i.e., 12345 or aaaaa).
  • Context-specific information (i.e., the name or address of the worksite).
  • Commonly used words (i.e., p@ssw0rd).
  • Dictionary words (i.e., doctor).

• Passwords obtained from previous security breaches should not be used.

What are the NIST Password Standards: Additional Guidelines

The NIST password standards contain additional rules:

• There is no password complexity requirement. Many organizations require users to create a password that contains special characters, numbers, uppercase letters, and lowercase letters. The NIST password standards do not require this. In fact, NIST recommends against using unnecessarily complicated or obtuse passwords, which can become weaker in the long run.
• Passwords should be vetted against a list of common and weak options: NIST guidance indicates that passwords should be vetted against a list of common passwords (such as “password,” “123456789,” “ChangeMe,” and so on). An IT or security firm can perform the vetting. 
• There is no password expiration period. Many organizations require users to update passwords periodically (i.e., every 3 months, or every six months), even if there is no indication a password is ineffective or has been compromised. Under NIST, passwords should not be periodically updated “for the sake of it.” 

• Users should not be given “hints” as to what their password is.

There are a number of password best practices organizations should follow. These best practices are not derived from NIST; they reflect commonsense principles. Users should: 

• Never reveal a password over the phone to anyone.
• Never reveal a password in an email message.
• Never reveal a password to a co-worker or supervisor.
• Never talk about a password in the presence of co-workers.
• Never hint at the format of a password.
• Never share a password with family members.
• Users should not write down your password. Users should memorize it instead.
• Users should not keep a list of user IDs and passwords in your office or workspace; and
• Users should never misrepresent themselves by using another person’s user ID or password.