What Are the NIST Cybersecurity Framework Password Guidelines?


What Are the NIST Cybersecurity Framework Password Guidelines?

The NIST Cybersecurity Framework (NIST CSF) is a set of guidelines developed by the National Institute of Standards and Technology to help organizations improve their cyber defenses. Whether a company's IT managers are only getting started in establishing a cybersecurity program or already running one, they can use NIST CSF to ensure cybersecurity best practices are implemented across the organization. 

NIST CSF has five core functions, including:

  • Identify: Peer into a cybersecurity environment to determine risks to data, systems, assets, and capabilities.
  • Protect: Establish measures to contain cyberattacks, including data protection technologies, access controls, and training.
  • Detect: Implement appropriate mechanisms for identifying the occurrence of a cybersecurity incident.
  • Respond: Develop and apply techniques to contain the impact of cybersecurity incidents.
  • Recover: Perform activities to restore any capabilities or services that were impaired due to a cybersecurity incident.

What are NIST CSF password guidelines?

One of the key tenets of the NIST cybersecurity framework is establishing a strong password policy. These password guidelines are fully outlined in NIST SP 800-63, but for today, let’s take a look at some of them below!

1. The more characters, the better

As a best practice, NIST CSF password guidelines suggest an eight-character minimum for user-made passwords, and a six-character minimum for machine-generated ones. They also recommend creating passwords that are up to 64 characters long, and support passwords that contain emojis and characters listed within the American Standard Code for Information Interchange.

2. Do away with frequent password resets

The original NIST CSF password guidelines recommended resetting passwords every few months. However, newly released guidelines advise against doing this because forcing users to regularly change their passwords can lead to users choosing weaker passwords that are easier to remember. 

Following the new password guidelines, businesses must only require password resets in the event of a data breach.

3. No more complex passwords

For many years, IT experts advised users to create passwords that contained at least one lowercase letter, one uppercase letter, one number, and one symbol. 

Now, NIST recommends using longer passwords that are easy to remember, such as passphrases. These types of passwords use random dictionary words that can be separated by spaces, combined into one string, or mixed in with numbers. In general, ‘passphrases’ are difficult to crack, so they offer better protection than complex passwords.

4. No more password clues

When users forget their password, they can be provided with a hint, or asked to answer security questions like, “What is your mother’s maiden name?” or “What was the name of your first pet?”. While answering these questions may be convenient for most, it can be risky. Through a quick online search, cybercriminals can often guess the answers and therefore gain access to your accounts. For these reasons, NIST is advising against using password clues as a way to verify user identity.

5. Make it user-friendly

Many login sites don’t support the “Show password while typing” option. However, the NIST CSF password guidelines recommend allowing users to view their passwords as they enter them. Without this option, users may be more inclined to choose weaker passwords that are easier to enter correctly. 

The guidelines also suggest allowing users to paste passwords, allowing people to create and store stronger passwords within password managers.

6. Limit login attempts

Having an unlimited number of login attempts may help users who have forgotten their passwords - however, this can be risky. Unlimited attempts give cybercriminals unlimited opportunities to force their way into systems. To prevent this, NIST recommends limiting the number of login attempts to 10 at a time.

7. Avoid SMS authentication

SMS authentication is the process of verifying a user's identity by sending a code to their mobile phone through a text message. NIST CSF password guidelines discourage SMS authentication, as it’s not secure. For one, cybercriminals can easily intercept SMS messages. They can also use social engineering techniques to convince telecom providers to transfer a victim’s mobile number to a SIM card in their possession.

Instead, the NIST recommends using more secure authentication methods such as biometrics, multi-factor authentication, and app-based one-time passwords.

How can your business get started with NIST CSF compliance?

Complying with NIST CSF is not an easy task. Thankfully, a reliable managed IT services provider like Charles IT can help. We will ensure that you achieve total security through our three-step process:

  1. Gap Assessment – We will identify any holes in your organization’s cybersecurity posture and suggest ways to resolve them.
  2. NIST CSF Services Enlistment – We offer services like backup and disaster recovery, dark web monitoring, endpoint encryption, external vulnerability scanning, and security awareness training, among others. These services are all required in different aspects of NIST Cybersecurity Framework.
  3. Framework Implementation – We’ll ensure your employees and IT infrastructure are compliant with NIST CSF and implement the right solutions that will keep your organization protected from cyberthreats.


Drop us a line today to get started with your NIST CSF compliance journey!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”