NIST password guidelines

NIST password guidelines are regulations laid down by the National Institute of Standards and Technology (NIST) to strengthen passwords. Since 2017, NIST password standards have been revised almost every year, taking insights from password cracking experts, vulnerable password practices, hacker behavior, and previous password breaches. This makes them the most influential, recommended standard for password creation. A NIST-compliant password is tough to crack yet simple to use.

What are the latest NIST password guidelines

  • New password creation
  • Password authentication
  • Passoword storage
  • Password length is more important than password complexity: Contrary to conventional thinking, longer passwords are harder to decrypt than complex ones if stolen. The NIST-recommended password length is a minimum of eight characters.
  • Periodic password resets: NIST recommends password resets only when it is suspected that a password has been compromised, so that users do not create passwords that are identical to their old ones, which could happen if prompted to change passwords regularly.
  • Cross-verify new passwords with lists of commonly used and compromised passwords: All new passwords must be screened to ensure that they are not commonly used passwords, dictionary words, sequential numbers or letters, or compromised passwords.
  • Enable show password while typing: Displaying the password to users while they are typing makes them more likely to type it correctly on the first attempt, thereby eliminating unnecessary account lockouts and password resets.
  • Allow the pasting of passwords: Preventing users from pasting text in the password field can slow down account creation and logging in, thus encouraging users to set weak passwords.
  • Do not use password hints: Using password hints or asking security questions to help users remember their passwords is strongly not recommended by NIST as they can serve as prompts for even attackers to guess the passwords.
  • Limit the number of failed password attempts before account lockout: By limiting the number of failed password attempts, brute-force attacks can be curbed.
  • Use multi-factor authentication (MFA): Using other factors of authentication besides passwords can thwart phishing attacks by making the account inaccessible even if the password has been compromised.
  • Secure the databases: Access to databases containing users' passwords should be limited to essential personnel only so that hacker activities are restricted.
  • Salt and hash passwords: According to NIST standards, passwords should be salted with at least 32 bits of data and hashed with a one-way key derivation function (like PBKDF2 or Balloon).

How ADSelfService Plus helps comply with NIST guidelines and password security

ADSelfService Plus offers Password Policy Enforcer, Access Policy, and MFA features to help your organization meet NIST password requirements

Password Policy Enforcer

Password Policy Enforcer allows you to enforce a custom password policy that seamlessly integrates with the built-in AD password policies, providing more granular control than the latter. ADSelfService Plus' password policies can be set to enforce the following requirements:

  • Restrict characters
  • Restrict repetition
  • Restrict pattern
  • Restrict
    length

These settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.

1
 

Satisfy the NIST password requirements by configuring the inclusion of alpha-numeric characters in passwords.

Restrict characters

Satisfy the NIST password requirements by configuring the inclusion of alpha-numeric characters in passwords.

These settings help restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.

1
 

Restrict users from re-using their previous passwords during password creation.

Restrict repetition

Restrict users from re-using their previous passwords during password creation.

The settings under this tab help restrict custom dictionary words, patterns, and palindromes that might be commonly used.

1
 

Restrict users from using common patterns, dictionary words, and palindromes in their passwords.

Restrict pattern

Restrict users from using common patterns, dictionary words, and palindromes in their passwords.

These rules let you set both a minimum and maximum number of characters for the password.

1
 

Configure the minimum and maximum password length to satisfy the NIST password guidelines.

Restrict length

Configure the minimum and maximum password length to satisfy the NIST password guidelines.

  1.  
  2.  
  3.  
  4.  

Access Policy

ADSelfService Plus allows you to define any number of self-service policies in a given domain. These policies can be configured as shown below so that your organization meets NIST guidelines for passwords.

  • Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.
  • Restrict the number of times users can reset their passwords using self-service.
  • Allow or prevent copy and paste in password fields.
  • Enforce AD password history settings during password resets to restrict the repetition of passwords.
  • Enable Password Strength Analyzer to help users with password creation by displaying the strength of the password.
  • Provide CAPTCHA code verification for user logins to provide added security.
  • 1
     

    Enable Password Strength Analyzer to help users with password creation by displaying the strength of the password.

    2
     

    Enforce AD password history settings during password resets to restrict the repetition of passwords.

    access-policy-rename-unlock

    Enable Password Strength Analyzer to help users with password creation by displaying the strength of the password.
    Enforce AD password history settings during password resets to restrict the repetition of passwords.

  • 1
     

    Provide CAPTCHA code verification for user logins to provide added security.

    access-policy-general

    Provide CAPTCHA code verification for user logins to provide added security.

  • 1
     

    Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.

    2
     

    Restrict the number of times users can reset their passwords using self-service.

    access-policy-block-user

    Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.
    Restrict the number of times users can reset their passwords using self-service.

MFA

ADSelfService Plus offers MFA support for application access, both cloud-based and on-premises, as well as for endpoints. It helps you reduce surface attacks and protects your business by mandating a higher level of identity assurance.

Reasons why your organization needs ADSelfService Plus' MFA support:

  • Authenticates users by additional factors of authentication apart from their default username and password.
  • Offers around 20 authenticators to choose from, including biometrics, Duo Security, TOTPs, YubiKey, and smart cards.
  • Allows the configuration of workflows to customize authenticators for users of different OUs, domains, or groups.
  • Secures both local and remote login attempts on servers and workstations.
  • Tackles all credential-based cyberattacks, including brute-force, password spray, and dictionary attacks.
  • Helps your organization meet NIST SP 800-63B, GDPR, and HIPAA compliance mandates.
  • 1
     

    Secure user access to all endpoints in your network, like VPNs, OWAs, and RDPs, using MFA.

    mfa-configuration-02

    Secure user access to all endpoints in your network, like VPNs, OWAs, and RDPs, using MFA.

  • 1
     

    Pick the number and type of MFA methods that your users must authenticate with to gain access to resources.

    mfa-configuration-03

    Pick the number and type of MFA methods that your users must authenticate with to gain access to resources.

  • 1
     

    Choose from around 20 different authenticators to verify your users' identities.

    1
     

    Set up different MFA flows for different groups or departments in your organization.

    mfa-configuration-01

    Choose from around 20 different authenticators to verify your users' identities.
    Set up different MFA flows for different groups or departments in your organization.

Augment your business's cyberdefense with ADSelfService Plus, a one-size-fits-all solution that helps your employees adopt best practices for passwords.

Make your organization NIST compliant

  •  
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Some other benefits of ADSelfService Plus - Self Service Reset Password Management

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

我们的客户