The new NIST password guidelines, substantially revised password security recommendations and altering many of the standards and best practices which security professionals use when forming password policies for their companies.
For quick background, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
NIST password guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
NIST 800-63-3: Digital Identity Guidelines has made some long overdue changes when it comes to recommendations for user password management.
The new NIST password standards recommend, among other things:
All three of these recommendations are things we have been advising for some time now and the NIST password screening recommendation is made simpler with Enzoic for Active Directory or our RESTful API service.
While it wasn’t explicitly mentioned in the NIST password standards, we contend that another important security practice is checking your user credentials against a list of known compromised credentials, something we can also help with.