Yes, NIST Password Guidelines and Scoring are a Thing
You likely are aware of and using CIS Controls to inform your tech stack. But what are you doing with passwords? Enter National Institute of Standards and Technology’s (NIST) password standards. Let's examine NIST guidelines and how password scoring can protect an organization's data.
NIST Password Standards
We will save you the agony of reading NIST’s long, dense, and overly technical documentation by summarizing below what you really need to know. For those of you who are a glutton for punishment, feel free to indulge in the password standards.
Remember: length over complexity.
- Passwords should be at least eight characters long, with a preference for longer passwords or passphrases.
- Long passwords provide more security than short, complex ones. It's better to use a series of words that are easy to remember instead of a random assortment of characters.
Eliminate periodic password resets.
- Routine password changes are no longer required unless evidence of a breach exists.
- Constantly changing passwords can weaken security, as users may resort to predictable patterns or easily forget the new passwords.
Do not use common passwords.
- Unique passwords are crucial to prevent unauthorized access.
- Avoid passwords that are frequently used, easily guessed, or have appeared in previous data breaches.
- The best practice is to promote strong passwords.
- User-friendly policies play a significant role in this process.
- Creating memorable passwords and avoiding restrictive rules (e.g., requiring special characters) that can lead to predictable patterns contribute to enhanced security.
- Providing guidance on creating strong, unique passwords without complicating the process helps users feel empowered and secure.
Atakama knows password scoring.
When it comes to cybersecurity, MSPs are challenged by the never-ending requirement of educating their customers to ensure they adhere to evolving standards. The multitude of apps in use and their corresponding passwords can overwhelm even the most sophisticated of users.
Some good news though; adhering to the guidelines we’ve outlined here will not only improve your quality of life, but at the same time improve your customers’ password hygiene and overall cybersecurity posture.
How is a password scored?
As part of the Atakama Managed Browser Security Platform, our password scoring tool uses length and complexity to assess password strength.
These factors combine to generate an A through F score that reflects the password's overall strength, which in turn will help you guide users to create more secure credentials.
Letter grades are based on NIST Digital Identity bits of entropy.
- Grade A: At least 120 bits, considered secure
- Grade B: 108-119 bits, considered secure
- Grade C: 96-107 bits, should be updated
- Grade D: 84-96 bits, should be updated
- Grade F: 83 bits or less, considered insecure
By scoring passwords using NIST guidelines, Atakama provides actionable insights and recommendations for enhancing overall security.
Browser security, password scoring, and activity visibility all in one platform
Adhering to NIST's password guidelines is crucial for maintaining robust security practices in the face of evolving threats. Tools like the Atakama Managed Browser Security Platform can further enhance these efforts, helping organizations and individuals safeguard sensitive information.
Despite their importance, browser security has been underserved, exposing organizations to new threats.
The Atakama Managed Browser Security Platform is a browser extension that transforms the browser into a secure and managed workspace, empowering MSPs to control security, set data policies, gain insights, and optimize user experiences.
Schedule your demo today and find out how to improve visibility, eliminate shadow apps, and give your customers an innovative productivity tool that won’t impact existing workflows or require additional employee training.