NIST 800-63 Password Guidelines

October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

The National Institute of Standards and Technology (NIST) has long been an authority figure for best practices on how to secure identities, passwords, and more. Though there haven’t been too many significant changes since the original NIST guidelines were published in 2017, they do still evolve as time goes on, so it’s important to stay on top of the most current information.

Let’s take a look at what NIST suggests.

What You Need to Know About NIST 800-63 Password Guidelines

A Brief Summary

Below is a brief summary of the current NIST password guidelines. 

Note 1: Passwords are referred to as “memorized secrets” in NIST documentation.

Note 2: The terms “SHALL” and “SHALL NOT” indicate requirements to be followed strictly in order to conform to the publication and from which no deviation is permitted.

General Guidelines

• 8 character minimum when a human sets it.
• 6 character minimum when set by a system/service.

Memorized Secret Verifiers

• Should support at least 64 characters maximum length.
• All ASCII characters (including space) should be supported.
• Unicode characters should be accepted as well.
• Truncation of the password shall not be performed when processed.
• Memorized secrets that are randomly chosen by a credential service provider (CSP) or verifier SHALL be generated using an approved random bit generator.
• Check chosen password against a list that contains values known to be commonly used, expected, or compromised. For example, passwords obtained from previous breach corpuses, dictionary words, or repetitive or sequential characters.
• Should offer guidance to the subscriber, such as a password-strength meter.
• Limit consecutive failed authentication attempts on a single account to no more than 100.
• Should permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
• No composition requirements.
• No password expiration period.
• No password hints.
• No knowledge-based authentication (e.g., who was your best friend in high school?).

These are just some of the NIST password guidelines, but the NIST Digital Identity Guidelines are extensive. Read more details on the NIST website.

Many of these guidelines challenge traditional password security practices. For example, the idea of not requiring password complexity is radically different from what has been conveyed in the past. However, NIST suggests that guidelines like increased complexity and frequent password changes, for example, lead to poor password behavior in the long run. 

Because people can only remember so much, employees often cope with frequently changed, complex passwords by storing them in an insecure manner (e.g., a sticky note on a computer monitor) and/or by meeting the requirements in a very predictable way (e.g., Password1!). 

NIST 800-63 password guidelines work to combat this behavior by essentially proposing the use of one long, simple password that should only be changed when it is compromised.

Who Needs to Comply with NIST 800-63?

While many IT organizations use NIST guidelines to inform their security practices, only federal agencies are required to comply with NIST 800-63. Still, that doesn’t mean you shouldn’t seriously consider NIST’s recommendations and how they could benefit your environment. 

Just remember that these guidelines haven’t made their way into other compliance regulations yet, so make sure to cross-reference NIST’s suggestions with your current compliance requirements.

How to Support NIST Password Guidelines

The best way for IT organizations to support NIST’s guidance, or any compliance regulation for that matter, is with their core identity provider (IdP). The IdP should control access to systems, applications, file storage, and networks regardless of protocol, platform, provider, and location. 

Then, when password guidelines are set in the core IdP, virtually all of the IT resources that authenticate against the identity provider will be compliant. An IdP with a password manager component makes compliance and password management even easier for IT administrators and end users.

The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

Get the Guide

Secure Memorized Secrets with JumpCloud

JumpCloud is an Open Directory Platform^TM that’s a core part of tens of thousands of IT organizations’ networks. JumpCloud takes a multi-protocol, vendor-independent approach that enables IT admins to centrally manage all of their systems, apps, file storage, and networks. With multi-factor authentication (MFA) and password complexity functionality to boot, it’s easy for IT admins to support NIST 800-63 guidelines and other compliance regulations from a single pane of glass.

IT admins have complete freedom to determine the character length, complexity, and expiration of passwords in their environment, enabling them to follow NIST’s password guidance to the fullest. With JumpCloud, those that need to meet more stringent password requirements for regulations like HIPAA, PCI, or GDPR, are also set up for success. Once password requirements are determined, they automatically propagate to all of the IT resources that are tied to the JumpCloud.

On top of specifying password criteria for users, use JumpCloud’s MFA capability to further secure identities and access. 

Whether you are simply looking for an easy way to follow NIST’s guidelines or you have other industry regulations to adhere to, a comprehensive IdP like JumpCloud can provide you with the necessary centralization, control, and security you need to meet your security and compliance goals.

Find Out More About JumpCloud

For more information on how JumpCloud supports NIST 800-63 password guidelines, get in touch with us. One of our product experts will gladly walk you through how our Open Directory Platform can support your compliance requirements. Otherwise, try out the platform for free, for up to 10 users and devices, to see all of the features and functionality it provides.