Best practices for Microsoft and NIST password policies (2023)

Microsoft and the National Institute of Security Technology (NIST) are two of the leading resources for providing strong password policies. In this article, we discuss recommended strategies to ensure your company's passwords are strong enough to protect against hackers and cybercriminals.

NIST is responsible for developing information security standards and guidelines that all federal agencies must follow, and most cybersecurity professionals choose to do so as well. Microsoft offers a unique perspective on password security, leveraging the insights gained from analyzing millions of username/password compromise attempts every day. Review the NIST and Microsoft password guides and recommendations to determine the best policies for your organization.

Microsoft password policy recommendations

Microsoft created its admin password policy recommendation using insights from years of tracking threats such as Trojans, worms, botnets, phishing attacks, and more. Learn how to identify the latest security threats. Microsoft recommends the following guidelines for deploying password-based identity and access management security as part of your organization's cybersecurity plan.

Password guidelines for administrators

  • Keep a minimum length of 8 characters (longer is not necessarily better)

    Password length requirements (greater than about 10 characters) can result in predictable and undesirable user behavior. For example, users who are required to have a 16-digit password can repeat patterns likefourfourfourorPasswortpasswortthat meet character length requirements but are not difficult to guess. In addition, length requirements increase the likelihood that users will engage in other unsafe practices, such as B. writing down their passwords, reusing them or storing them unencrypted in their documents. To encourage users to come up with a unique password, we recommend maintaining a reasonable minimum length of 8 characters.

  • Has no character composition requirements. Example: *&(^%$

    Password complexity requirements can lead users to act in predictable ways and do more harm than good.Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber ​​criminals know this, so they carry out their dictionary attacks with the most common substitutions, "$" for "s ", "@" for "a", "1" for "l". Forcing your users to choose a combination of uppercase, lowercase, digits, and special characters will have a negative impact. Some complexity requirements even prevent users from using strong and memorable passwords and force them to create less strong and memorable passwords.

    (Video) NIST Password Policy Recommendations

  • Does not require periodic password resets for user accounts

    There is evidence that users who know they need to change their passwords choose weak passwords and are more likely to write them down. A better approach might be to apply multi-factor authentication and then encourage users to make the effort to find a strong password that they can use for a long time.

  • Ban common passwords to keep the most vulnerable passwords off your system

    The most important password requirement you should impose on your users when creating passwords is to disallow the use of common passwords to reduce your organization's vulnerability to brute force password attacks. Common user passwords are:ABCDEFG,Password,Ape.

  • Advise your users not to reuse their organization passwords for non-work related purposes

    One of the most important messages to convey to users in your organization is to not reuse your organization's password anywhere else. Using your company's passwords on external websites greatly increases the likelihood that cybercriminals will compromise those passwords.

  • Apply registration for multi-factor authentication

    Make sure your users update contact and security information, such as an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Up-to-date contact and security information helps users verify their identity if they forget their password or someone tries to take over their account. It also provides an out-of-band notification channel for security events such as login attempts or password changes.

  • Enable risk-based multi-factor authentication challenges

    Risk-based multi-factor authentication ensures that if our system detects suspicious activity, it can prompt the user to verify that they are the legitimate owner of the account.

  • Passwordless authentication is the future

    Microsoft invites admins to lead their organizations into the future by becoming familiar with what they call itno passwordAuthentication and is now available. It gives users faster access to applications and services, provides a higher level of security than passwords, and eliminates IT support costs and lost productivity associated with password resets. The 3 passwordless authentication options available today from Microsoft include Windows Hello facial recognition and fingerprint scan authentication, the Microsoft Authenticator app for passwordless phone login, and Fido2 security keys available as US/NFC keys, biometric USB keys, or biometric wearables are.

NIST Password Policy Recommendations

(Video) Best Practices for Enforcing Password Policies

ÖNIST special publication800-63B guidelines for digital identity, authentication, and lifecycle managementreleased in 2020 is considered the gold standard for password security. Guidelines must be followed by federal agencies, and it is strongly recommended that all organizations follow NIST password recommendations when establishing password policies to ensure the security of their employee accounts and corporate data. The document introduced a new protocol that aims to improve password security by promoting easy-to-remember but hard-to-guess passwords, known as stored secrets, while eliminating many of the password complexity requirements of the past, which have been shown to reduce safety.

Below is a summary of the key password recommendations outlined in the guidelines:

  • Request multi-factor authentication
    Multi-factor authentication uses more than one method to verify your identity. Multi-factor authentication can help protect your account from attackers, even if they guess or steal your password. Attackers would not be able to access your account without also breaching the second layer of security.
  • The password length must be at least 8 characters but less than 64 characters

    Password length requirements that require passwords to be longer than 10 characters have been shown to result in predictable user behavior that is easy for hackers to guess. Length requirements also increase the likelihood that users will engage in other unsafe practices, such as B. writing down their passwords, reusing them or storing them unencrypted in their documents. For these reasons, NIST now recommends maintaining a reasonable minimum length of 8 characters...and more importantly, requiring multi-factor authentication!

  • All special characters (including spaces) should be allowed but not required

    Special characters make your password stronger, but you can still create a strong and secure password without special characters. Making this optional and not mandatory allows users to create passwords that they are more likely to remember.

  • Eliminate knowledge-based authentication (e.g. what is your mother's maiden name)

    Many forms of knowledge-based authentication are easily found on the Internet. Hackers can find answers to most security questions, such as birthdays, educational backgrounds, and family members' names, by examining public records. It doesn't help that so many people overlook the security implications of the information they freely share on social media, which often provides strong clues to these shared security concerns.

  • Avoid using personal information when creating a password

    The personal information you put on social media platforms like Facebook and Instagram makes it easy for a hacker to guess your passwords. Avoid using anything that is known about you, whether from public records or information that you or others may post on social media. This information may be the easiest to remember, but it is the basis for social engineering that can be used against you. Social engineering remains one of the most effective strategies for successful ransomware attacks.

  • Eliminate mandatory password changes unless there is evidence of password compromise

    One of the most important changes NIST has made is that they no longer recommend periodic password resets. This practice has proven to be ineffective and makes passwords less secure. A Microsoft study found that users who have had to reset their passwords frequently are more likely to use weak passwords and reuse them across multiple accounts.

    (Video) New NIST Password standards

  • Limit the number of failed password attempts

    Limiting your failed password attempts can help protect your accounts by preventing attackers from gaining access if they incorrectly guess your password too many times. This can help protect your account from brute force attacks, where hackers use sophisticated software and AI to generate millions of different combinations until they find the right one.

  • Enable copy and paste in password fields

    NIST also recommends allowing copying and pasting of passwords into password fields, although the guidelines do not require the use of password management software, this policy permits their use. Password managers store all user passwords in a central, encrypted location and allow users to copy and paste to log in.

  • End user training required

    Humans remain the weakest link in the information security process. Regular training is one of the most important measures companies can take to protect against targeted attacks on their employees.

    Additional recommendations - Do not use:
  • Context-specific words such as service name, username, and derivatives
  • Passwords compromised in previous security breaches
  • Words found in the dictionary
  • Repeating or consecutive characters like ("aaaaaaaaa" or "1234abcd")


Administrators should review the list provided by these highly trusted sources and apply the recommended policies across the organization. The top security measure recommended by Microsoft and NIST is to require multi-factor authentication for all accounts containing corporate data. Based on Microsoft studies, your account is 99.9% less likely to be compromised when you use MFA.

Password managers are easy to use and can help generate strong, unique passwords and provide a secure solution for employees not having to remember all of their passwords. When implementing a password management solution, keep these five things in mind:

  • Choose a long password for the password manager master password and protect it from theft. A passphrase can be long enough to protect against attacks while still allowing for memorization.
  • Create unique passwords for all accounts or leverage most password managers' ability to generate random, unique, and complex passwords for each account.
  • Avoid password managers that allow master password recovery. Any master password compromise by account recovery tools could compromise the entire password vault.
  • Use multi-factor authentication for program manager apps that allow this feature.
  • Use the password generator feature in most password managers to generate complex, random passwords that meet your desired complexity requirements

If you're not implementing a password manager, it's important to provide your users with guidance on how to choose a unique password for each of their accounts. One of the best schemes ever created, and still very effective today, came from Schneier in a 2014 security blog post. The blog post quoted that almost anything that can be remembered can be broken. He suggests combining a personally memorable phrase with some personally memorable tricks to turn that phrase into a unique and memorable password.That would be something like:

(Video) NIST and Microsoft password policy changes 2019

  • "tlpWENT2tm" = "This little pig has gone to the market"
  • WIw7, mstmsritt. = When I was seven years old, my sister threw my stuffed rabbit in the bathroom.
  • Wow…doestcst = Wow, this couch smells awful.

Addressing password policies greatly improves the security of your organization.

Best practices for Microsoft and NIST password policies (1)

For more cybersecurity recommendations to improve your organization's cybersecurity policies, seeContact IntelliSuite.


Microsoft, Office 365 password policy recommendations

NIST, Authenticator and Verifier Requirements, 51. Requirements by Authenticator Type

Schneider on safety

(Video) Implementing NIST Password Policy - Part 1


What is Microsoft best practice for password policy? ›

At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization. Significantly different from your previous passwords.

What are the 4 recommended password practices? ›

Password Best Practices
  • Never reveal your passwords to others. ...
  • Use different passwords for different accounts. ...
  • Use multi-factor authentication (MFA). ...
  • Length trumps complexity. ...
  • Make passwords that are hard to guess but easy to remember.
  • Complexity still counts. ...
  • Use a password manager.

What are some recommendations from NIST on password management? ›

NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.

What is a best practice according to Microsoft for the minimum password length? ›

Best practices

Set Passwords must meet complexity requirements to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.

What are the 5 security requirements for a good password? ›

  • At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
  • A mixture of both uppercase and lowercase letters.
  • A mixture of letters and numbers.
  • Inclusion of at least one special character, e.g., ! @ # ? ]

What are the six basic guidelines for creating strong passwords? ›

6 best practices to create strong passwords and keep your business accounts secure
  • Create long, complex, and unique passwords. ...
  • Sentences or phrases are better than single words. ...
  • Don't include personal information in your passwords. ...
  • Use two-factor authentication to render stolen passwords useless. ...
  • Encrypt stored passwords.
20 May 2021

What is the 8 4 rule for passwords? ›

This is often called the “8 4 Rule” (Eight Four Rule): 8 = 8 characters minimum length. 4 = 1 lower case + 1 upper case + 1 number + 1 special character.

What are three 3 best practices for creating and using passwords? ›

Here are the top security best practices around how to make a strong password in 2022:
  1. Unique Passwords for Each Account. ...
  2. Characters and Symbols Instead of Letters. ...
  3. Try Passphrases. ...
  4. At Least 12 Characters in Length. ...
  5. Analyze Password Strength. ...
  6. Change Password Quarterly. ...
  7. Enable Two-Factor Authentication. ...
  8. Use a Password Manager.
2 May 2022

What are your 7 best tips for creating a strong password? ›

7 Tips For Creating a Better Password
  • Create Strong Passwords. ...
  • Avoid Passwords Containing Info Easily Found Online. ...
  • Use a Unique Password for Every Website or App. ...
  • Avoid Linked Accounts. ...
  • Use Multi-Factor Authentication. ...
  • Beware Where You Enter Your Password. ...
  • Take Note When a Data Breach Occurs.
9 Jul 2019

What are the 5 pillars of NIST? ›

The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.

What are the 4 NIST implementation tiers? ›

The National Institute of Standards and Technology Cyber-Security Framework (NIST) implementation tiers are as follows.
  • Tier 1: Partial.
  • Tier 2: Risk Informed.
  • Tier 3: Repeatable.
  • Tier 4: Adaptive.

What NIST best practices? ›

Taking the NIST's standards and the FTC's posted enforcement actions together, the following guidelines are some cybersecurity best practices:
  • Security. Start with Security. ...
  • Identify. ...
  • Protect. ...
  • Detect. ...
  • Respond. ...
  • Recover.
29 Mar 2018

How long should my password be 2022? ›

Make your password long. 12-14 characters are recommended. Use a mix of characters like capitalization, symbols and numbers. Use a different password for every account.

What is a good password policy? ›

Some of the password storage best practice policies that companies use include: Requiring that passwords contain a mixture of lowercase and uppercase characters. Passwords need to be a certain length. Passwords need to contain a mixture of lowercase, uppercase, numbers and special characters.

What are Windows 10 password complexity requirements? ›

A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols.

What are the 5 basic security principles? ›

The Principles of Security can be classified as follows:
  • Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
  • Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
  • Integrity: ...
  • Non-Repudiation: ...
  • Access control: ...
  • Availability:
5 Jun 2022

What are 2 basic rules for passwords? ›

And once you finally select a password, its strength needs to observe these parameters: Length of the password – preferably over 12 characters. Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each. Contain no repetitive characters.

What makes a good password in 2022? ›

A strong password should be impossible to guess, and that means using a mixture of lowercase and capital letters, numbers and symbols. Passwords are stronger the longer they are and shouldn't contain any intuitive patterns or memorable keyboard paths that can easily be guessed, like 123, ABC or QWERT.

What is the best recommendation for creating a strong password? ›

Remember These Strong Password Best Practices
  • Do not use sequential numbers or letters. ...
  • Do not include your birth year or birth month/day in your password. ...
  • Use a combination of at least eight letters, numbers, and symbols. ...
  • Combine different unrelated words in your password or passphrase.
6 May 2022

What are the 3 main types of password attacks? ›

Six Types of Password Attacks & How to Stop Them
  • Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
  • Man-in-the-Middle Attack. ...
  • Brute Force Attack. ...
  • Dictionary Attack. ...
  • Credential Stuffing. ...
  • Keyloggers.

How many passwords are 1234? ›

nearly 11% of the 3.4 million passwords are 1234 !!! The next most popular 4-digit PIN in use is 1111 with over 6% of passwords being this. In third place is 0000 with almost 2%. A table of the top 20 found passwords in shown at the right.
The Data.
16 more rows

What basic password rules should everyone use? ›

Strong passwords are longer than eight characters, are hard to guess and contain a variety of characters, numbers and special symbols. The best ones can be difficult to remember, especially if you're using a distinct login for every site (which is recommended).

What is the best password length? ›

When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user. However, we know that most people feel more comfortable and secure with a longer version.

What are the 3 most important pillars of information security? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

What are the four password management features? ›

Some of the key features of password management software include:
  • Encryption. Ability to encrypt passwords and other confidential data with industry-standard encryption like AES-256. ...
  • Secure data transfer. ...
  • Password generator. ...
  • Multi-platform support. ...
  • User management. ...
  • Fine-grained sharing. ...
  • Quick login. ...
  • Browser extensions.

What are the three 3 principles that user must preserve to ensure security of information? ›

What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.

What is the number 1 most used password? ›

In collaboration with independent cybersecurity researchers evaluating a four terabyte database, the company found 123456 was the mostly commonly used password in the world, with over 100 million instances of its use.

What are common password mistakes? ›

Using Any Personal Information In Passwords

Their own names should never be used, along with the names of their relatives, favorite celebrities, pets, friends, and so on. Even something as simple as a college mascot shouldn't be used, as it's relatively easy to find out this kind of information.

What is the most important factor for password strength? ›

Complexity. Because of how password crackers work, password length has become more important to password strength (i.e., resistance to cracking) than using special characters or other “complexity” factors that can make passwords harder to remember and to key in.

What are the most important NIST 800-53 controls? ›

The NIST SP 800-53 security control families are: Access Control. Audit and Accountability. Awareness and Training.

What are the 3 tiers of the NIST Risk Management Framework? ›

There are three main elements to the framework – the framework core, profiles, and implementation tiers. These tiers are intended to provide context for stakeholders to help determine the degree to which their organizations exhibit the characteristics of the framework.

What is the current NIST framework? ›

The NIST cybersecurity framework is a powerful tool to organize and improve your cybersecurity program. It is a set of guidelines and best practices to help organizations build and improve their cybersecurity posture.

What is 3 NIST Digital Signature Algorithm? ›

Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved digital signature algorithms: DSA, RSA, and ECDSA.

What is replacing NIST? ›

CMMC stands for Cybersecurity Maturity Model Certification. It combines the controls from NIST SP 800-171 and from other sources, depending on the level of certification. This is a new model that will replace NIST 800-171 and will be enforced by the DoD.

Is NIST or ISO better? ›

NIST is considered best for organizations that are in the early stages of developing a risk management plan. ISO 27001, comparatively, is better for operationally mature organizations.

Does NIST recommend changing passwords? ›

Not surprisingly, NIST no longer recommends scheduled password changes. Instead, the NIST password guidelines essentially state that organizations should screen passwords against a list of passwords that are known to be compromised. If a password has not been compromised, then there is no reason to change it.

What are the three core components on the NIST Framework? ›

An Introduction to the Components of the Framework

The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.

How long should a password be NIST? ›

NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.

How long can a hacker crack your password? ›

The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker.

Are longer passwords harder to crack? ›

The longer the password, the longer it will take to crack. When a password cracker has more characters to fill to guess the correct password, it's exponentially less likely to get it right. In other words, you don't need a complex password with lots of fancy special characters if you have a long password.

What are 5 password best practices? ›

Password Best Practices
  • Never reveal your passwords to others. ...
  • Use different passwords for different accounts. ...
  • Use multi-factor authentication (MFA). ...
  • Length trumps complexity. ...
  • Make passwords that are hard to guess but easy to remember.
  • Complexity still counts. ...
  • Use a password manager.

What are the 4 main rules for creating strong passwords? ›

  • At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
  • A mixture of both uppercase and lowercase letters.
  • A mixture of letters and numbers.
  • Inclusion of at least one special character, e.g., ! @ # ? ]

What is the minimum recommended password length by Microsoft? ›

Best practices. Set minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember.

What would a good password policy include? ›

A strong password must be at least 8 characters long. It should not contain any of your personal information — specifically, your real name, username or your company name. It must be very unique from your previously used passwords. It should not contain any word spelled completely.

What are the NIST 800 53 password requirements? ›

NIST 800-53 (Moderate Baseline)

A minimum of eight characters and a maximum length of at least 64 characters. The ability to use all special characters but no special requirements to use them. Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).

What is the one problem with most password policies? ›

Password policies fail to solve the wider problems of user authentication. Even in the unlikely event that a policy is strong, up-to-date, and adhered to by all members of staff, password policies ultimately fail to solve the inherent weaknesses of credentials as an authentication mechanism.

What are the three rules for passwords? ›

Internet Security: The 3 Rules for Creating Strong Passwords
  • Rule 1 – Use more than eight characters. ...
  • Rule 2 – Always use different passwords for different platforms. ...
  • Rule 3 – Use a password manager. ...
  • Password policies for businesses. ...
  • Training your staff.
20 Jun 2022

What are the three levels of password protection? ›

The three different levels used in the 3-level password authentication scheme are image ordering, color pixels and the one time password (OTP). We use different hash functions such as SHA-1,MD5 for the generation of OTP.


1. GOTO Night: Passwords: Policy and Storage with NIST SP800-63b with Jim Manico
(GOTO Meetups)
2. Exploring the New NIST Password Recommendations
3. How to Set Your Organization's Password Policy in the Microsoft 365 Admin Center - Office 365
(Pen Publishing Interactive)
4. NIST 2020 Password Security Do's and Don'ts
5. 150 - NIST Password Guidelines
6. Power Up Your Password Policy
Top Articles
Latest Posts
Article information

Author: Greg O'Connell

Last Updated: 05/19/2023

Views: 5971

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.