2022 NIST Password Updates

How To Implement 2022 NIST Password Updates into Your Policy – Updated for 2023

With the increasing number of cyberattacks, it is more important than ever to have up-to-date password policies in place for your business. The National Institute of Standards and Technology (NIST) has released new guidelines for passwords, and we are here to help you implement them into your existing policy. In this blog post, we will discuss the updates made by NIST and how you can apply them to your organization. 

Enable Multi-Factor Authentication

One of the most important updates made by NIST is the recommendation to enable multi-factor authentication (MFA) for all users. MFA adds an extra layer of security to your login process and makes it more difficult for attackers to gain access to your systems. There are many different types of MFA, so you can choose the one that best suits your organization. Some common options include:

  • Text messages/phone calls with one-time passwords
  • One-time codes generated by an app
  • Fingerprint scanning

Require Strong Passwords

Another important update from NIST is the recommendation to require strong passwords for all users. A strong password is one that is difficult to guess and is not easily cracked. You can enforce strong password requirements by setting a minimum length for passwords, requiring special characters, and disallowing dictionary words.

Don’t Make Mandatory Password Changes

One of the most commonly-used password policies is to require users to change their passwords on a regular basis. However, NIST has now recommended that this practice be discontinued. This is because regularly changing passwords can actually lead to weaker passwords and make it more difficult for users to remember their login information.

Limit Password Attempts

Another way to help protect your systems from attackers is to limit the number of times a user can attempt to enter their password. This will prevent brute force attacks from succeeding and will lock out users who enter the wrong information too many times.

Limiting password attempts keeps your accounts secure because it keeps attackers from guessing until they get the right one. You can easily access your accounts by using a password manager so that you don’t accidentally lock yourself out by typing your password incorrectly.

Salt and Hash Your Passwords

One of the best ways to protect your passwords is to salt and hash them. This means that you add a random string of text (the salt) to each password before hashing it. This makes it more difficult for attackers to crack your passwords, as they will not know the salt used in the hashing process.

You can easily salt and hash your passwords by using a password management tool. This will protect your passwords and make it easier for you to login to your accounts.

Use Long Passwords Over Complex Ones

While it is important to use strong passwords, you don’t need to make them too complex. In fact, using long passwords that are easy to remember is a better option than using complicated ones. You can create long passwords by combining multiple words into one phrase. For example, “I love cats and dogs” could be turned into “ilovecatsanddogs”.

Make sure to use different passwords for each of your accounts and never share them with anyone. This will help keep your data safe and secure.

Remove Password Hints and Knowledge-Based Authentication (KBA)

Knowledge-based authentication, also known by its acronym KBA, is an authentication method based on a series of knowledge questions that are used to verify a person’s identity in order to prevent access of an unauthorized person to an account. An example of a knowledge-based authentication question is “The name of your elementary school”. NIST password guidelines recommend removing all knowledge-based authentication questions and instead, it’s recommended to have users confirm their identity and reset their password using MFA or 2FA.


The NIST updates provide a number of best practices for strengthening your password policies. Make sure to enable MFA, require strong passwords, and salt and hash your passwords. You can also use long passwords that are easy to remember. These steps will help keep your data safe and secure.

To learn more about increasing your cybersecurity, reach out to our team of IT professionals at Envision today and schedule your initial consultation.

Envision Consulting

Envision Consulting

We started Envision Consulting for businesses that share our passion for building long- term and healthy relationships. While we might be technology experts, we’ve always known that trust, reliability and looking after a client’s best interest are paramount to succeeding in business. But in 2001 and to this day, there were few managed IT providers available that embodied our customer-centric values. There were countless support companies more interested in reacting to issues than paving the road forward for clients, making it far too difficult to build long-term relationships. We felt a strong pull to make something different, and we did.