NIST Updates Password Guidance

New Threats Require New Approaches
NIST Updates Password Guidance
New guidance on enterprise password management from the National Institute of Standards and Technology is aimed at helping federal government agencies mitigate common threats against character-based passwords.

NIST on Tuesday issued on a draft special publication, Guide to Enterprise Password Management, to build awareness of the rapidly evolving threats against passwords. NIST, in its guidance, advises agencies to consider employing several mitigation strategies, including secure storage and transmission of passwords, user awareness activities and secure password recovery and reset mechanisms.

The guide also is designed to raise awareness of the changing threats against passwords. According to NIST, most organizations' policies rely primarily on password strength an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.

But publication coauthor Karen Scarfone says strong passwords don't necessarily help because threats have changed. "Phishing attacks and other forms of social engineering trick users into revealing their passwords," Scarfone says in a statement accompanying release of the draft publication. "Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."

Scarfone says using effective password management as described in the guide will reduce the likelihood and impact of password compromises.

Among the guide's recommendations:

  • Educate users about threats against passwords and how they should respond.
  • Password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards for applications with high security requirements.

NIST requests comments on draft SP 800-118 by May 29. Please submit comments to with "Comments SP 800-118" in the subject line.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.