Top 10 Password Security Standards

Since ancient times, people have used passwords, which are almost ubiquitous in our personal and professional lives. Though people were expected to remember their passwords as a best practice, it is practically impossible to remember hundreds of complex passwords. Therefore, people created passwords that were easy to remember and reuse across numerous accounts. However, repeated use of the same weak passwords causes data breaches and security issues.

The term "password policy" refers to the entire password lifespan, which includes how they were created, the complexity criteria, safekeeping, secure transmission, regular review, and more. 

Here we share the top 10 password security standards every institution should abide by.

What is the National Institute of Standards and Technology (NIST)?

NIST is a U.S. federal organization that provides standards for handling digital ID via Special Publication 800-63B. The most recent update was made in 2019 for the recent Version 3. Though Version 4 was made available for review, Version 3 remains the standard.

What Does the National Institute of Standards and Technology (NIST) Do?

The non-regulatory federal agency is dedicated to promoting innovation and industrial competitiveness in the US. They achieve this mission by advancing measurement science, standards, and technology. Their efforts not only enhance economic security, but also improve the quality of life for all Americans.

Liquid Web and other entities take queues from this agency as the national standard for many measurable references, including passwords.

Password Security Best Practices

Recommendations

1. Use Passwords of at Least 8 Characters or Longer if Set By a Person

The more characters you use, the more difficult a password is to crack. The length is key. Try to create lengthy passwords of at least eight characters.

2. Use Passwords of at Least 6 Characters or Longer if Set By a System or Service

If you have a system in place that allows for new user creation, such as an eCommerce site, a forum, or any type of site that allows new users to sign up, the software should never allow less than a six-character password.

3. Allow Support for at Least a 64-Character Length  

This setting should allow for use of strong passphrases when selecting a password.

4. Use a Combination of All ASCII Character Types

Use numbers, lowercase letters, uppercase letters, and symbols in your password (e.g., XkeDZaJ6QG3E8!jKq3%yIOd3). This decreases the overall entropy of the password and decreases its chances of being compromised.

Password entropy is the measure of how arbitrary or uncertain a password is. A password’s entropy is based on the type of character set used (including uppercase, lowercase, numbers, and special characters) and the length of the overall password.

5. Create Unique Passwords

Each password you use should be unique to each service you use. For example, cPanel, MySQL, and your bank account should all have different passwords.

6. Verify Your Password is Not Listed in Known Password Dictionaries

Using an online tool or software (in your program), check your password against known password lists and avoid using such passwords.

7. Use a Password Manager

Current best practice dictates that users should use a password manager to set and remember long, difficult passwords.

8. Randomly Generate the Password

Use a password generator to generate a secure password. Some online options are:

• Norton Password Generator.
• Random.org.
• Secure Password Generator.

9. Allow No More Than 10 Password Attempts Before a Lockout Initiates

The specified threshold is usually a balance between practicality and security depending on your company's risk level. This should be an adequate balance between allowing for possible user error and limiting brute force attacks.

10. Use a Two-Factor Authentication (2FA) System

The use of a multi-factor authentication system as part of your security protocols will add an additional layer of protection. This includes methods like hardware key fobs, software like Google Authenticator, and readable biometric data.

Inadvisable

1. Don’t Use Dictionary Words

If your password is pizzatime, your server is probably already hacked or worse yet, rooted. Dictionary attacks use programs that automatically update password fields with common words.

2. Don’t Change Your Password Often

Changing your passwords regularly is now discouraged according to the latest NIST research. Users frequently use the same passwords they previously used, which is one reason for this newer regulation. However, for some businesses and organizations, frequent password changes are necessary.

3. Don’t Reuse Passwords

Since some require frequent password changes, the best practice is to avoid reusing the same or similar passwords. If your password for an account was Quixotic.Princess1, and you were forced to change it, don’t change it to Quixotic.Princess2. Also, under no circumstances should you go back to Quixotic.Princess1. Create a new, unique password.

4. Don’t Use Pets, People, Places, Events, etc.

While your dog is awesome and adorable, its name would not make a good password as it can be an easy guess if someone is gathering info on you. Some acceptable ways to incorporate names would be combinations of special characters and phrases (e.g., B1gg13$m@LL$, bu$t3rB3LLy, J3llyb3an!).

5. Don’t Use Adjacent Keyboard Strings

Keep in mind, qwerty1234 is not a secure password, and neither is using a keyboard pattern of ANY kind (e.g., wazsedxcfr or poilkjmnb). These keyboard patterns have been taken advantage of and are part of the software programs that malicious actors use to scan for passwords.

Password Examples

Bad Passwords

Here are some examples of bad passwords to use:

• awesomedog1
• sunshine12
• coolguy18

Good Passwords

Here are some examples of good passwords to use. It is advised that you not use these passwords since they are in the public domain.

• Da$up#aPhAJ*cRe3
• *@7X#JjI6j4e#cC2ax
• 8c0e^zi&ISEk%9&0Wa

Best Practices 

Passphrases

Use statements or phrases to help you remember passwords, such as PetHydraePulpyLash. A joke, a hobby, a quote from a book/movie, or an interest of some sort can be used as the basis for a secure password.

Take this quote from Star Wars, “May the force be with you.” You can build this into a more secure password by simply changing out some characters and adding a few numbers, such as:

• May1the2force3be4with5you6!

That’s a more secure password that would be much easier to remember, but still may not be the most secure for banking information.

The website How Secure is My Password gave the following score:

The site How Secure Is My Password states:

It would take a computer about 682 NONILLION YEARS to crack your password

That’s 10³⁰ years! Using this same movie quote and turning it into a passphrase increases its security even further. Going from “May the Force be with you,” and converting it to something like M@y Th3 F0rC3 b3 w1tH y0u!

This gives the following score:

The site How Secure Is My Password states:

It would take a computer about 3 DECILLION YEARS to crack your password

That’s 10³³ years!

GOOD Passphrase Examples:

• G0 @h3@d, M@k3 My Day!
• *M@y tH3 F0rc3 b3 W1th y0U*
• TH3r3’5 n0 pL@c3 l1K3 h0m3_

Remembering Passwords

You can store your passwords in a password vault or with password management tools. The use of password managers is now recommended and can improve your ability to utilize stronger passwords. However, remember that a password manager is only as strong as its gateway passphrase, which can allow access to all of your passwords. When you join new websites, password managers not only keep your existing passwords but also create and save secure, unique passwords for you. 

That means you can open your password manager anytime you visit a website or app, copy your password, and paste it there to log in. Browser extensions that automatically fill in your password are frequently included with password managers. You can carry your passwords with you everywhere you go, even on your phone, as many password managers offer encrypted cross-device syncing.

Although Liquidweb does not endorse any specific password manager, we can, however, provide a list of the most popular ones:

• Keeper
• Dashlane
• LastPass
• 1Password
• 1KeePass 
• PWSafe

Here is a full list of information for all the major password managers.

Authentication

The standard practice for controlling access to organizational resources is two-factor authentication. Users must verify their identity in addition to providing traditional credentials, such as their username and password, by receiving a one-time code on their mobile device or by inserting a unique USB token. The idea behind two-factor authentication is that it prevents an attacker from gaining access by simply guessing or cracking the password.

The newest models for multi-factor authentication ideally identifies four common factors as the essential methods of authentication:

• Something you personally know (e.g., a passphrase).
• Something you personally have on you (e.g., an employee ID badge or a key fob).
• Something you personally own (e.g., a fingerprint, facial recognition, retinal ID, or other types of biometric data).
• Somewhere you specifically are (e.g., your GPS location or on a network at work).

Final Thoughts

Passwords have mostly stayed the same over the years, but password management has changed significantly. Organizations should carefully review their password security policies, and password management procedures, as stolen or weak passwords are still the most common cause of data breaches. You may develop a strong password security strategy and offer stronger protection against unwanted access by using the best practices that are listed in this article.