Does your password policy align with NIST recommendations? - SmartBrief

All Articles Marketing Digital Technology Does your password policy align with NIST recommendations?


Does your password policy align with NIST recommendations?

3 min read

Digital TechnologyMarketing

password protection


More than half (52%) of IT pros are concerned about weak and compromised passwords, according to a recent survey by Enzoic and Redmond magazine. Unfortunately, 58% are unaware of crucial updates to the National Institute of Standards and Technology’s recommendations on password protection. The agency’s updated guidance provides new tactics and revises previous practices to help shape password policy.

“NIST outlines several simple steps to strengthen passwords against modern password-based attacks. Organizations that ignore NIST’s recommendations are leaving an essential authentication security layer vulnerable,” notes Josh Horwitz, chief operating officer at Enzoic.


4 password composition policy updates to make right now

To create stronger passwords and reduce advanced persistent threats, the agency advises making the following upgrades to your password composition policy:


  1. Increase the character count.
    Longer lengths enable users to create passphrases – sequences of unrelated words (so not your favorite catchphrase) and spaces – that are easier to memorize. One reason people create weak passwords is because they don’t want to have work to remember them.
  2. Encourage the use of all characters.
    NIST recommends making every character, including spaces, available for passwords, which reduces the burden on users to come up with unique credentials. But you don’t have to require special characters anymore. Once thought to improve password strength, NIST found mandating special characters doesn’t improve security significantly because many users make obvious substitutions, like @ for a and + for t that hackers can easily figure out.
  3. Make password management easier for users.
    In an about-face, NIST now supports copying and pasting of passwords because it encourages the use of password managers that add another layer of security. The agency also says it’s time to end regularly-scheduled password changes. Mandatory password revisions lead to predictable behaviors that produce weaker passwords, which actually lower security.
  4. Screen new and current passwords against blacklists.
    Hackers collect lists of stolen credentials and know they’re likely to be used on other sites. Advanced technology can automatically check databases of blacklisted passwords that are commonly used and compromised and prompt users to create stronger credentials. And because trends change, it’s critical to continuously monitor passwords in use and direct users to change any that become exposed. However, only 38% of survey respondents have to verify that passwords have been compromised.

As hacking threats increase and many IT teams are understaffed, upgrading your password policy may seem like a nice-to-have. However, password hardening is easy to do, leverages the existing investment in passwords and, unlike most security policies, actually makes things easier for users and administrators.

The right solution reduces user frustration around frequent required resets and complex rules. Technology can also lower administrative burden and spend by using automation to reduce password reset calls and boost cybersecurity. Adopting modern technology such as Enzoic for Active Directory can help you avoid security breaches, prevent ransomware attacks and avoid account takeovers.

“Organizations need a way to identify when passwords become compromised,” says Horwitz, adding, “Otherwise, their users and administrators can’t follow or enforce the NIST requirement to not reuse compromised passwords.”


Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised password detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identify accounts at risk and mitigate unauthorized access. Enzoic is a profitable, privately held company in Colorado.  Learn more about Enzoic here and connect on Twitter and LinkedIn.