Paubox blog: HIPAA compliant email made easy

Password guidelines by NIST

Written by Farah Amod | June 20, 2024

The National Institute of Standards and Technology (NIST) updated its password guidelines to safeguard confidential data. The guidelines recommend increasing password length, using special characters, enabling text pasting, eliminating password hints, and reducing complexity requirements.

 

Increase password length

Length is a critical factor in creating strong passwords. Longer passwords are statistically less likely to be cracked. To align with current research, NIST requires a minimum password length of eight characters for user-generated passwords and six characters for machine-generated passwords. 

However, it is advisable to set the maximum password length at 64 characters for more sensitive accounts. By increasing the length of your passwords, you can significantly improve your security posture and protect against unauthorized access.

 

Allow special characters and spaces

Another effective way to bolster password security is by permitting special password characters. NIST's updated guidelines now recommend systems to allow passwords that contain special characters, including emojis and spaces. By enabling special characters, you can enhance the complexity of passwords, making them more difficult for cybercriminals to crack. 

However, it is important to note that the new guidelines prohibit using sequential or repeating characters and dictionary words, as these can be easily guessed or exploited.

 

Enable Text Pasting and Encourage Automated Systems

NIST's guidelines now encourage using automated systems and password managers to enhance password security further. Password fields should allow users to paste text using the copy-and-paste feature on their devices. This enables users to use password managers, simplifying password management and significantly enhancing security. 

 

Eliminate password hints and knowledge-based authentication

Password hints have long been regarded as a security vulnerability. Users often set hints that make it easy for others to guess their passwords, rendering them ineffective. To mitigate this risk, NIST has completely outlawed password hints. 

Furthermore, knowledge-based authentication (KBA) questions, such as "What street did you grow up on?" are no longer permitted due to the ease of finding such information online. Organizations can strengthen their password security practices by eliminating password hints and KBA questions and reducing the risk of unauthorized access.

 

Abandon periodic password change requirements

Traditionally, many organizations enforced policies that required frequent password changes. However, recent studies have shown that such requirements can be counterproductive to good password security. In line with this research, NIST recommends removing periodic password change requirements. 

This change aims to improve usability and make password security more user-friendly. While this new standard may take time to be universally adopted, it allows organizations to reevaluate their password policies and promote more effective security practices.

 

Simplify password complexity requirements

NIST's updated guidelines emphasize the importance of minimizing password complexity requirements. Previously, organizations often enforced the inclusion of uppercase letters, symbols, and numbers in passwords. 

However, these requirements can lead to passwords that are difficult to remember and may hinder employee efficiency. Organizations can balance security and usability by reducing password complexity and empowering employees to create and manage strong, memorable passwords.

 

Screen new passwords 

Another security measure NIST recommends is screening new passwords against lists of commonly used or compromised passwords. This practice helps protect against hackers who attempt to use known passwords in different settings. 

By utilizing software that checks proposed passwords against previously held or exposed passwords, organizations can prevent using weak passwords and further strengthen their security posture.

 

HIPAA compliance and password security practices

HIPAA mandates the protection of sensitive patient information and sets guidelines for data security. Implementing the NIST password guidelines can significantly improve HIPAA compliance by enhancing password security practices. By adhering to these guidelines, healthcare organizations can demonstrate their commitment to protecting patient data and avoiding potential breaches.

See also: HIPAA Compliant Email: The Definitive Guide