Continuously ensure compliance with NIST

NIST 800-63B Digital Identity Guidelines for Authentication recommends checking new passwords against passwords used in cybercriminal dictionary attacks.

Get a Free Password Audit

Stop forced password reset

Multiple studies have shown requiring frequent password changes is actually counterproductive to good password security.

Drop the algorithmic complexity song and dance

No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.

Require screening of new passwords against lists of commonly used or compromised passwords

One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

OVERVIEW

The Approach NIST Recommends

The National Institute of Standards and Technology (NIST) password recommendations encourage organizations to monitor new passwords daily to prevent the use of commonly compromised credentials..

People follow very common patterns in password selection, even with a written password policy in place. Cybercriminals use lists of common passwords and patterns found in previous breaches to narrow the universe of passwords attempted in their attacks. Guessing passwords becomes easier when the actual set of passwords is predictable.

HOW IT WORKS

Satisfying NIST Password Compliance

Enzoic continuously collects compromised passwords and aggregates cracking dictionaries to create a comprehensive blacklist of unsafe passwords. Our list contains billions of entries. It includes every word from every Wikipedia article in all languages and every clear text password from over 3,000 data breaches.

While this blacklist continues to evolve, the rate at which new unique entries are being added has dramatically slowed, giving us confidence that we’ve captured a nearly complete universe of the common passwords used by hackers.

Enzoic provides an easy way to satisfy this requirement. Our researchers maintain a list of unsafe passwords, combining numerous cracking dictionaries and previously breached passwords circulated on the Internet and Dark Web. Our Microsoft Active Directory plugin and RESTful API makes it easy to screen for unsafe passwords.

HOW IT HELPS ME

The Benefits of Creating a NIST Password Policy

Many security initiatives add additional burden to the organization. Adopting a NIST password policy actually does the opposite. It improves user experience by eliminating password complexity rules and reducing frequent password resets. It lowers administrative costs with fewer password resets calls and automated remediation. And it improves security by following modern industry recommendations for passwords.

Frequently Asked Questions

Why should I care about NIST password guidelines?

The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST develops cybersecurity standards, guidelines, and best practices to serve US-based industry and US federal agencies.

NIST’s Digital Identity Guidelines (Special Publication 800-63B) offer dependable recommendations for managing identity and access, including the establishment of effective password guidelines and password policies. These guidelines are widely adopted across industries and organizations as a security standard. It also helps organizations with cyber insurance requirements

What are some key recommendations from the NIST password guidelines?

The NIST guidelines advocate for reducing password complexity requirements to improve usability without compromising security. Although imposing complex password requirements enhances their resilience against cracking attempts by attackers, it also renders passwords more challenging for users to recall. This often leads to user behaviors such as cyclically reusing the same or similar passwords, which in turn heightens security vulnerabilities.
Hence, NIST now advises for less stringent complexity requirements.
NIST also emphasize the importance of regularly checking passwords against breach databases and common dictionary words to prevent the use of compromised credentials. This measure prevents users from selecting and employing compromised passwords, thereby enhancing the security of organizations and reducing the risk of a data breach originating from compromised passwords.

Are there any specific recommendations for checking passwords against breach databases?

Yes, the NIST guidelines recommend comparing passwords against known breach databases and common dictionary words to identify and reject compromised credentials. This proactive approach helps organizations prevent unauthorized access and mitigate security risks.

Resource Hub

Automate Password Policy Enforcement & NIST Password Guidelines...

Download this eBook to learn how to enable quick-to-deploy automated password policy enforcement and daily exposed password screening.

Download Now

Resource Hub

Using NIST Guidelines for Secure Passwords

Achieve password security in line with NIST by enabling real-time password policy enforcement and daily password auditing.

Download Now

Blog

Surprising Password Guidelines from NIST

The US National Institute of Standards and Technology (NIST) just finalized new draft guidelines, completely reversing previous password security recommendations and upending many of the standards and best practices security professionals use when forming policies for their companies.

Looking To Satisfy the NIST Password Requirements?

Start for free. Enzoic provides a clean user interface to screen for compromised passwords.

Experience Enzoic

Enzoic Offers the Motion Picture Association a Premier Approach...

S&P Global: Secure Passwords Require a Stronger Password...

Keeping Active Directory Out of Hackers’ Cross-Hairs

The State of Authentication Security