Skip to main content

The National Institute of Standards and Technology (NIST) Digital Identity Guidelines (NIST) recommend rejecting passwords used for online guessing attacks and also eliminating periodic password expiration- unless the password is compromised. While these requirements make sense, given current cybersecurity threats, they don’t precisely fit historic password policies. NIST has recommended new password policy guidelines for Active Directory that can help.

But what does this shift entail, and why is it imperative for organizations to adapt? This comprehensive article will cover NIST’s latest password requirements, exploring how these can be seamlessly integrated into your Active Directory framework to forge a more resilient and effective password policy.

We’ll explore the essential elements of these modern guidelines and illustrate how Enzoic for Active Directory enables effortless alignment with NIST standards through a streamlined, one-click configuration.

Why Did Password Policies Need Such A Dramatic Overhaul?

Password policies needed to change to match the modern threat landscape. Traditionally, we insisted on combining various character types, believing this approach fostered “strong passwords”. Yet, an examination of real-world passwords from data breaches revealed a predictable pattern: individuals often modify familiar words with symbols and numbers, or alter letters, merely to comply with stringent password guidelines. This practice hardly promoted randomness.

Further research into password expiration mandates revealed a similar trend. While frequent password changes were mandated, they inadvertently led users to opt for minor, predictable updates instead of devising truly unique passwords. Cybercriminals quickly caught on to these common modification strategies, exploiting the prevalence of weak passwords.

Ultimately, these conventional password strategies, though well-intentioned, inadvertently simplified the task for hackers while complicating password creation and recall for legitimate users.

What Is So Different About Creating A Password Policy Now?

​​We acknowledged that cybercriminals are leveraging historical data breaches and common password variations to their advantage. The countermeasure lies in recognizing these patterns and employing similar strategies for defense. This modern methodology depends on continuously updating lists of known breached passwords and utilizing insights gleaned from password-cracking dictionaries. However, this approach doesn’t align well with previous password policies and traditional password policy tools.

Formerly, a straightforward software algorithm could determine the strength of a password based on its mix of various character types, and such a password would consistently be deemed strong. Yet, contemporary password policies need the capability to swiftly cross-reference extensive databases of compromised passwords. Even more crucial is their ability to adapt to the evolving threat landscape, where a password considered secure today might become vulnerable following a new data breach.

These adjustments represent considerable shifts for system administrators and the tools they use to formulate password policies.

NIST Guidelines Illustrate A Modern Password Policy

While not every organization must comply with NIST Password Guidelines, they are are seen as the foundation for many security frameworks. So, what does a modern password policy look like?

The guidelines are given in NIST SP 800-63B.

NIST is explicit that password policies SHOULD NOT require composition rules (i.e., mixtures of characters), and they SHALL compare to a list that includes passwords from previous breaches.

The NIST Special Publication 800-63B FAQ elaborates by saying it is essential to discourage the use of very common passwords, particularly those that are most likely to be tried in an online password-guessing cyberattack.

The corresponding NIST password policy must:

  1. Reject passwords that are less than 8 characters
    This is a straight-forward NIST requirement. It can be easily satisfied with the existing Active Directory password length policy.
  2. Reject chosen passwords if found to be previously compromised
    Data breaches occur every day. Obtaining compromised or exposed passwords is a continuous effort. The model is relatively similar to antivirus threat intelligence and best left to specialists.
  3. Reject common and likely passwords
    Common passwords and likely passwords are found in cracking dictionaries. These wordlists with common transformations are built by hackers and evolve over time. Incorporating them turns the attackers’ weapon into a defensive tool.
  4. Reject context-specific words in passwords
    Common password choices also vary by context and location. Consider the name of your business, application, etc. The password blacklist must be enhanced with a custom dictionary to block context-specific passwords.
  5. Consider common variants using fuzzy matching
    Attackers conduct basic transformations made during password creation. By normalizing the password (i.e. making it case insensitive, removing leetspeak substitutions, etc.) again, turn attack tactics into defensive measures.
  6. Detect and immediately remediate newly vulnerable passwords
    Although more challenging to implement, this is perhaps the most critical requirement. In the current environment, the password that is initially screened and determined to be safe may become vulnerable. Mechanisms are needed to revisit passwords after initial screening, ideally daily, to detect compromise and automate remediation – including resetting a secure password.
  7. No Strict Special Character Requirements
  8. Shifting the focus from complexity to effectiveness
    NIST’s updated guidelines recommend against mandating the use of special characters in passwords. This approach stems from the realization that password complexity requirements often lead to predictable patterns, making passwords easier for attackers to guess. Users tend to create passwords that comply with complexity rules but are still vulnerable due to common substitutions and patterns (like using ‘@’ for ‘a’, ‘!’ for ‘I’, or adding ‘123’ at the end). Instead of enforcing rules that demand specific characters, the emphasis is now on creating longer, more unique passwords. This flexibility encourages users to devise passwords that are not only hard for attackers to crack but also easier for them to remember. By eliminating strict special character requirements, NIST aims to reduce the common pitfalls of password creation, leading to stronger overall security.

These requirements reflect the current password policy best practices for hardening the password layer. NIST makes it clear that a proper authentication strategy involves more than one layer and that the requirements above should be met whenever the password layer is included.

Using Enzoic for Active Directory for NIST Password Policy

Many old-school password security tools provide limited implementation options for the NIST password requirements. They often bolt -on static blacklists that are infrequently updated. They have limited options beyond complex algorithm rules and typically have somewhat complicated configuration steps that are not relevant to modern password policies.

By contrast, Enzoic for Active Directory provides a clean user interface. For organizations looking to satisfy the NIST requirements above, a single checkbox can apply all of the password policy options above. Once enabled, a dashboard component can highlight if settings are changed so that organizations are able to easily check if they are complying with NIST. Learn more about One-Click NIST Password Standard Compliance.

Enzoic for Active Directory was specifically designed for modern password policy requirements. It works together with Enzoic’s proprietary threat research services. The blacklist database that powers Enzoic for Active Directory is updated continuously with the latest breach data, and passwords are rescanned daily. When users’ passwords are found to be vulnerable, the remediation steps are fully automated.

The Benefits of Creating a NIST Password Policy

Numerous security measures often impose extra responsibilities on an organization. Yet, implementing a NIST password policy yields a contrasting effect. It enhances the user experience through the removal of intricate password requirements and the minimization of regular password changes. This approach also cuts down on administrative expenses by decreasing the volume of password reset requests and integrating automated solutions for password issues. Additionally, it bolsters security by adhering to contemporary industry guidelines for password management.