NIST Password Guidelines

The National Institute of Standards and Technology (NIST) defines security parameters for Government Institutions. NIST assists organizations for consistent administrative necessities. In recent years, NIST has revised the password guidelines. Account Takeover (ATO) attacks have become a rewarding business for cybercriminals. One of the members of the top management of NIST expressed his views about traditional guidelines, in an interview “producing passwords that are easy to guess for bad guys are hard to guess for legitimate users.” ( This implies that the art of picking the most secure passwords involves a number of human and psychological factors. NIST has developed the Cybersecurity Framework (CSF) to manage and overcome security risks more effectively.

NIST Cybersecurity Framework

Also known as “Critical Infrastructure Cybersecurity,” the cybersecurity framework of NIST presents a broad arrangement of rules specifying how organizations can keep cybercriminals under control. The CSF of NIST comprises of three main components:

  • Core: Leads organizations to manage and reduce their cybersecurity risk.
  • Implementation Tier: Helps organizations by providing information regarding the organization’s perspective on risk management of cybersecurity.
  • Profile: Organization’s unique structure of its requirements, objectives, and resources.


The following include suggestions and recommendations provided by NIST in their recent revision of password guidelines.

  • Characters Length: Organizations can choose a password of a minimum character length of 8, but it is recommended highly by NIST to set a password of up to a maximum of 64-characters.
  • Preventing Unauthorized Access: In the case that an unauthorized person has tried to log in to your account, it is recommended to revise the password in case of an attempt to steal the password.
  • Compromised: When small organizations or simple users encounter a stolen password, they usually change the password and forget what happened. NIST suggests to list down all those passwords which are stolen for present and future use.
  • Hints: Ignore hints and security questions while choosing passwords.
  • Authentication Attempts: NIST strongly recommends restricting the number of authentication attempts in case of failure. The number of attempts is limited, and it would be impossible for hackers to try multiple combinations of passwords for login.
  • Copy and Paste: NIST recommends to use paste facilities in the password field for the ease of managers. Contrary to that, in previous guidelines, this paste facility was not recommended. Password managers use this paste facility when it comes to using a single master password to ingress available passwords.
  • Composition Rules: Composition of characters might result in dissatisfaction by the end-user, so it is recommended to skip this composition. NIST concluded that the user usually shows a lack of interest in setting up a password with composition of characters, which resultantly weakens their password. For example, if the user sets their password as ‘timeline,’ the system does not accept it and asks the user to use a combination of uppercase and lowercase characters. After that, the user must change the password by following the rules of the compositing set in the system. Therefore, NIST suggests to rule out this requirement of composition, as organizations may face an unfavorable effect on security.
  • Use of Characters: Usually, passwords containing spaces are rejected because space is counted, and the user forgets the space character(s), making the password difficult to memorize. NIST recommends using whatever combination the user wants, which can be more easily memorized and recalled whenever required.
  • Password Change: Frequent changes in passwords are mostly recommended in organizational security protocols or for any kind of password. Most users choose an easy and memoizable password to be changed in the near future to follow the security guidelines of organizations. NIST recommends to not change the password frequently and to choose a password that is complex enough so that it can be run for a long time to satisfy the user and the security requirements.

What if the Password is Compromised?

Hackers’ favorite job is to breach security barriers. For that purpose, they work to discover innovative possibilities to pass through. Security Breaches have countless combinations of usernames and passwords to break any security barrier. Most organizations also have a list of passwords accessible to hackers, so they block any password selection from the pool of password lists, which is also accessible to hackers. Keeping in view the same concern, if any organization is unable to access the password list, NIST has provided some guidelines that a password list can contain:

  • A list of those passwords that have been breached previously.
  • Simple words selected from the dictionary (e.g., ‘contain,’ ‘accepted,’ etc.)
  • Password characters that contain repetition, series, or a simple series (e.g. ‘cccc,’ ‘abcdef,’ or ‘a1b2c3’).

Why Follow the NIST Guidelines?

The guidelines provided by NIST keep in view the main security threats related to password hacks for many different kinds of organizations. The good thing is that, if they observe any violation of the security barrier caused by hackers, NIST can revise their guidelines for passwords, as they have been doing since 2017. On the other hand, other security standards (e.g., HITRUST, HIPAA, PCI) do not update or revise the basic initial guidelines that they have provided.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.