Strong Password Best Practices

Strong Password Best Practices

The importance of robust online security is the number one topic for individual and corporate users. The importance of reliable passwords can be overestimated, however, 65% more passwords were compromised in 2022 than in 2020 according to Digital Shadows, leaving individuals and companies vulnerable to data breaches, identity theft, and other cyber threats. The good news is that users’ password habits are gradually evolving: according to LastPass, after receiving some form of cybersecurity education, 31% of people stopped reusing the same passwords for multiple accounts. We won’t repeat the things you’ve heard numerous times about password hygiene but focus on the NIST (National Institute of Standards and Technology) password guidelines, which are designed to enhance online security.  

The Alarming Reality of Compromised Passwords   

The reasons why most people still fail to create reliable passwords vary from opting for familiar information that is easy to remember to believing that they are not high-profile targets for cyberattacks. The reality is that no one is immune to the potential risks of online threats. This is where the NIST password guidelines come into play. NIST offers a set of comprehensive recommendations to ensure that passwords are strong enough to protect you from cyber threats.  

image 10

NIST Password Guidelines for 2022  

image 11

The most recent NIST password guidelines are outlined in the NIST Special Publication 800-63B Digital Identity Guidelines. These requirements focus on the quality of passwords and offer recommendations on how to generate, use, store, verify, and enhance passwords.   

Here are five essential practices to follow if you want to implement NIST password guidelines effectively:  

• Check Passwords for Length and Complexity. 

Passwords that are automatically generated for a. user must be 6 characters long.  User-created passwords must be eight characters long.  A maximum of sixty-four characters is recommended, including all ASCII characters and spaces. Avoid using consecutive or recurring characters in your password.  

• Screen Passwords Against Commonly Used and Breached Passwords. 

Passwords known to be frequently used or compromised should be prohibited. Even complex passwords can expose users to cyberattacks if not checked. Credential duplication can significantly increase the risk of unauthorized access. If a password is used that is not secure, a clear message should be received by the user explaining why their choice was denied.  This should prompt a more secure password to be created.  

• Mandatory Two-Factor Authentication (2FA). 

Enforcing Two-Factor Authentication (2FA) is a critical measure to enhance password security. It introduces an extra layer of defense for online accounts by demanding users to provide supplementary verification, like an SMS-delivered code or biometric data. This effectively raises the bar for cyber attackers, even if they’ve managed to obtain passwords. 

image 12

• Remove Hints or Knowledge-Based Authentication. 

Password hints and knowledge-based authentication questions, such as “What town were you born in?” should not be allowed. Instead, encourage users to confirm their identity and reset their password through more secure means, such as Two-Factor Authentication.  

• Use a Password Manager. 

While the NIST does not explicitly recommend password managers, it encourages companies to allow copy-paste functionality to accommodate them. Password managers enhance security by generating and storing complex, unique passwords for each account. Additionally, consider allowing a ‘show password’ feature to prevent users from re-entering long, complex passwords manually.  

• Establish password changing schedule. 

Contrary to common practice, NIST does not recommend frequent password changes, as this can lead to users making minor modifications that do not significantly improve security. In general, NIST recommends changing passwords only once a year, unless there is an immediate threat or suspected compromise. Frequent changes can lead users to create variations of the same weak passwords over time, undermining security, as professional hackers can often predict simple changes. If a data breach should occur or you suspect your password has been compromised, passwords should be immediately changed. 


We cannot emphasize enough how important. strong passwords can be in our digitally connected world. Passwords serve as the first line of defense against cyber threats, and implementing NIST guidelines can significantly enhance your online security. Remember, the next time you create or update a password, prioritize strength, uniqueness, and security. Your digital well-being depends on it. Let Klik Solutions help manage your password security. Reach out to us today for more information.  

Rated / based on customer reviews