The shift to passwordless environments is catching on, but for most, passwords still serve as the keys to their digital world. The National Institute of Standards and Technology (NIST) defines a set of best practices for managing your digital identity in Special Publication 800-63. We’ve culled the advisory down to a list of 10 guidelines for securing your personal information and creating better passwords:
- Password Length: Encourage users to create longer passwords. NIST recommends a minimum of 8 characters, but longer passwords are preferred. The use of passphrases is encouraged.
- No Password Complexity Rules: Avoid imposing strict complexity rules such as requiring a mix of uppercase, lowercase, numbers, and special characters. Instead, allow any character or symbol to be used, including spaces.
- Avoid Password Rotation: Eliminate mandatory password changes at fixed intervals. It is found that users tend to create weaker passwords when forced to change them regularly.
- Check Against Known Breached Passwords: Implement a system to check newly created passwords against known breached password lists and prevent users from using compromised passwords.
- Blacklist Commonly Used Passwords: Prevent the use of commonly used or easily guessable passwords (e.g., “password,” “123456,” etc.).
- Encourage the Use of Password Managers: Password managers can help users create and store strong, unique passwords for each service or website.
- Implement Rate Limiting and Account Lockouts: Protect against brute-force attacks by implementing rate limiting and temporary lockouts after multiple failed login attempts.
- Multi-Factor Authentication (MFA): Strongly consider implementing MFA to add an additional layer of security to user accounts.
- Education and User Awareness: Educate users about the importance of strong passwords and the risks of password reuse.
- Account Recovery: Implement secure and reliable account recovery methods for situations where users forget their passwords.
As the threat landscape and technology continue to evolve, best practices will change in parallel. For the most current recommendations, refer directly to the NIST guidelines or other authoritative sources on digital identity and authentication.