Password Recommendations According to NIST Guidelines
Not too long ago, the National Institute of Standards and Technology (NIST) finalized guidelines that proposed changing password security recommendations and changing some of the strong password practices we are familiar with.
As part of their new guidelines NIST recommends the following:
1. Remove periodic password change requirements
Best practices historically have ranged between 60 and 180 days; however, according to NIST there have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security. Their hope is their new guidelines will change that practice.
2. Drop the algorithmic complexity song and dance
NIST believes password complexity requirements needing mixtures of upper-case letters, symbols and numbers have been shown to result in worse, lesssecure passwords.
3. Require screening of new passwords against lists of commonly used or compromised passwords
According to NIST, one of the best ways to ratchet up the strength of your users' passwords is to screen them against lists of dictionary passwords and known compromised passwords.
NIST Password Guidelines
- An eight-character minimum and 64-character maximum length
- The ability to use all special characters but no special requirement to use them
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
- Restrict context specific passwords (e.g. the name of the site, etc.)
- Restrict commonly used passwords (e.g. p@ssw0rd, etc.)
- Restrict passwords obtained from previous breach corpuses
HCP clients can access their current password policies in their HIPAA Security module under Password Management. At the discretion of your compliance officer, these password guidelines may be added to your current password policy. At a minimum, we recommend considering these guidelines whenever you update your passwords.
Please contact us if you have questions about these NIST password guidelines or other compliance questions: [email protected] or by phone: 855-427-0427