Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Password Guidelines Updated by NIST

The National Institute of Standards and Technology (NIST) has updated its password guidelines in accordance with new research. The U.S. government requires its agencies to follow these guidelines, and many other organizations would benefit from implementing these rules as well.

These practices represent a reasonable standard and will help you keep confidential information safe and protect against breaches.¹

NIST is a federal agency that promotes U.S. innovation and industry by advancing the nation’s technology and information security infrastructure.² Following these updated guidelines can help you improve your password security practices and increase staff efficiency. Next, we’ll take you through recommended practices from the new guidelines and how to comply with them.

Increase password length

Length is a critical component of strong passwords. Longer passwords are statistically less likely to be cracked. Because of this, NIST now requires a minimum length of eight characters for user-generated passwords and six characters for those that are generated by a machine. To ensure greater security for more sensitive accounts, NIST says you should set the maximum password length at 64 characters.³

Allow special characters and spaces

Another way of increasing security levels is to allow the use of special characters in passwords. NIST now requires systems to permit passwords that contain special characters, even emojis and spaces. The new guidelines prohibit sequential (ex: 1234) or repeating (ex: aaaa) characters and dictionary words.³

Permit users to paste text

The guidelines encourage the use of automated systems for added security. Password fields must now allow users to paste text using a device’s copy and paste feature. This affords users the opportunity to use password managers, which can greatly increase security.

Stored passwords must also be hashed and salted (security measures similar to encryption). These are security measures that help to safeguard passwords that are in storage. If put into effect, hackers won’t be able to read your password data even if they manage to steal it.³

Outlaw password hints

Password hints are one example of an added security measure that can actually undermine password security. It’s only too common for users to set hints that make it very easy to determine the password. This defeats the purpose of having a password in the first place.

To prevent this, NIST has completely outlawed the use of password hints. Knowledge-based authentication (KBA) questions like “What street did you grow up on?” are also no longer permitted. The answers to these are too easily found over the internet, and can easily lead to a breach.³

Remove periodic password change requirements

Recent studies have shown that company policies that require frequent password changes are counterproductive to good password security. NIST recommends removing this requirement, which should increase usability and make password security more user-friendly.

Many industries have had a frequent password change standard in place for years, so it may take some time before this new standard is commonly observed. But for those who found the previous standard to be unnecessary, this may come as a welcome change.¹

Reduce complexity

NIST recommends minimizing password complexity requirements, like the necessary inclusion of upper case letters, symbols, and numbers. As with frequent password change policies, these requirements can result in passwords that decrease usability and hamper employee efficiency. Reducing password complexity can be another great step on the road to better security practices that employees find easier to manage.¹

Screen new passwords against commonly used or compromised passwords

A commonly held security practice is screening your users’ passwords against lists of commonly held passwords and known compromised passwords. NIST recommends you utilize software that can check proposed passwords against previously held or exposed passwords. This will protect against the hacking practice of trying known passwords in new settings.¹

  1. New password guidelines from the US federal government via NIST
  2. NIST Special Publication 800-63B
  3. The New NIST Guidelines

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2022

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

3 Reasons Insurance Agents Need to Follow HIPAA

3 Reasons Insurance Agents Need to Follow HIPAA

Health insurance agents became covered under HIPAA with the HITECH Act of 2009. The inclusion of insurance agents was a response to the increasing use of electronic health records and the need to...

Only a Few Days Remain to Report Small Breaches

Only a Few Days Remain to Report Small Breaches

Did you know that any HIPAA security breaches affecting less than 500 individuals in 2022 must be reported to the US Department of Health and Human Services by March 1, 2023? That is just a few days...

Microsoft End of Support for 2023

Microsoft End of Support for 2023

Each year, we publish Microsoft’s End of Support list because using up-to-date software is essential for HIPAA compliance. Microsoft will terminate support for earlier versions of a long list of its...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)