Password maintenance: Enhancing security and usability

July 05, 2023

Best practices for password maintenance and NIST guidelines for password security

Passwords have become a part of our daily lives at work and at home. Even as new identification tools have gradually entered the marketplace, the password has remained a constant for many websites and applications.

Unfortunately, password best practices have not evolved to match sophisticated cybercrime operations.

Weak and stolen passwords accounted for 50% of hacking-related breaches – and a stunning 77% of basic web application attacks – in the 2024 Data Breach Investigations Report conducted by Verizon. Further, the Identity Theft Resource Center (ITRC) found more than 1,800 breaches in the U.S. in 2022, just 60 events short of the all-time high of 1,862 set in 2021. 

Since it began tracking incidents back in 2005, ITRC has identified 19.7 billion records that were exposed by data breaches, impacting more than 11.8 billion victims. In many cases, investigations determined that the password was the weakest link. These findings have unleashed widespread scrutiny around authentication practices.

Companies develop their data authentication practices based on standard-setting organizations like the NIST, which sets guidance for U.S. government agencies. Although its guidelines for passwords and authentication have seen minor revisions since NIST first released them in 2017, their main themes remain the same.

After analyzing what makes an effective password (and what doesn’t), the institute argues for a more flexible, simpler approach to password management. However, these standards still aim to maintain effective authentication and robust security controls to prevent unauthorized access to data and resources.

A look at the NIST password guidelines

While traditionally in favor of increasingly complex passwords and passphrases, NIST now argues for a usability-focused approach, asserting that users will opt for passwords they can easily remember.

For example, a password that adheres to the traditional randomized mix of characters may be as simple as “P@ssw0rd,” which hackers are capable of cracking quickly. Another example would involve a user bypassing creating a new password at expiry, such as using a sliding number scale at each expiration, (e.g., “Password1, Password2, Password3…”). If hackers previously obtained the user’s credentials, they may easily guess any successive passwords.

In short, the NIST guidelines suggest the following:

  • Reduce how often employees are required to change passwords
  • No longer require complexity of characters in passwords
  • Enforce a required minimum password length of eight characters

NIST recommends that individuals opt for harder-to-guess passphrases involving strings of random words and characters. This would deter individuals from using simple passwords and make it less likely to circumvent the purpose of the enforced password policies.

With these guidelines, NIST looks to fold passwords into the larger authentication process. A usable but hard-to-guess password, combined with other authentication factors like biometric information or personal tokens, can create a more meaningful (and more secure) data security system.  

Where do passwords fit in the authentication process?

When we talk with our customers, we define authentication with three factors:

  1. Something a person knows 
  2. Something a person has
  3. Something a person is

Passwords fall into the first category. However, the best method for authentication is a strong, layered approach that requires more than one type. We’ve already witnessed the weaknesses of category 1 identification, whether it’s a password used multiple times across multiple logins or easy-to-guess security questions.

"A usable but hard-to-guess password, combined with other authentication factors like biometric information or personal tokens, can create a more meaningful (and more secure) data security system."

Use these guidelines as a reason to review your password policy

NIST guidelines intend to relax the complexities from a password system. However, passwords aren’t going away anytime soon. Whether or not your company decides to follow the NIST guidelines, it’s important to periodically review your authentication practices and information security training. Here are some best practices.

1. Use passphrases instead of password

  • Avoid commonly used words in these phrases, but use words that are easy for you to remember.
  • Avoid any personal information about you or your family. The longer, the better – each letter makes it more difficult for a hacker to crack.

2. Educate employees on lesser-known dangers of password use

  • Show them to be suspicious of any social engineering or phishing attempts to gain password information.
  • Ask that employees do not store passwords in documents on their local desktop or on papers in their working area.

3. Assess the risks of any documents accessible by employees

  • Review current access rights for your documents, and determine whether access is appropriately restricted.
  • Determine if any high-risk resources should require multi-factor authentication or other mitigating controls.

4. Review detective controls, including logging and monitoring

  • This allows for quick recovery of incidents and the ability to investigate what went wrong in order to prevent further incidents.

5. Periodically examine applications, operating systems and databases

  • Focus on identifying default passwords still in use, especially for privileged accounts.

Password management is just one part of the process

While NIST encourages a less complex password system, those passwords are just one part of the authentication process. With cybercrime growing more sophisticated each year, you don’t want to be caught off guard.

If you need help updating your password system, or if you want to strengthen your authentication process, NIST offers more resources on its website.

Related content

The password: Enhancing security and usability

Fight the battle against payments fraud

Risk management strategies for foreign exchange hedging

How to keep your assets safe

10 ways a global custodian can support your growth

Fraud prevention checklist

The benefits of a full-service warehouse custodian

3 tips to maintain flexibility in supply chain management

Insource or outsource? 10 considerations

Liquidity management: A renewed focus for European funds

Proactive ways to fight vendor fraud

Avoiding the pitfalls of warehouse lending

5 Ways to protect your government agency from payment fraud

How to improve your business network security

The latest on cybersecurity: Mobile fraud and privacy concerns

Cybersecurity – Protecting client data through industry best practices

Post-pandemic fraud prevention lessons for local governments

Third-party vendor risk: protecting your company against cyber threats

Cybercrisis management: Are you ready to respond?

White Castle optimizes payment transactions

Webinar: Approaching international payment strategies in today’s unpredictable markets.

Increase working capital with Commercial Card Optimization

The future of financial leadership: More strategy, fewer spreadsheets

The surprising truth about corporate cards

Automate accounts payable to optimize revenue and payments

How to improve digital payments security for your health system

5 questions you should ask your custodian about outsourcing

Alternative investments: How to track returns and meet your goals

Protecting cash balances with sweep vehicles

Manufacturing: 6 supply chain optimization strategies

Keep your finances safe and secure: Essential tips for preventing check fraud

How to spot an online scam

What is financial fraud?

Authenticating cardholder data reduce e-commerce fraud

Mobile banking tips for smarter and safer online banking

Why Know Your Customer (KYC) — for organizations

5 winning strategies for managing liquidity in volatile times

Healthcare marketing: How to promote your medical practice

Small business growth: 6 strategies for scaling your business

Why a mobile banking app is a ‘must have’ for your next vacation

Money muling 101: Recognizing and avoiding this increasingly common scam

How-to guide: What to do if your identity is stolen

Learn to spot and protect yourself from common student scams

BEC: Recognize a scam

Hospitals face cybersecurity risks in surprising new ways

Cryptocurrency custody 6 frequently asked questions

4 ways to outsmart your smart device

Webinar: How to stay safe from cyberfraud

Webinar: Robotic process automation

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

Hospitals face cybersecurity risks in surprising new ways

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

How you can prevent identity theft

Authenticating cardholder data reduce e-commerce fraud


Start of disclosure content

Loan approval is subject to credit approval and program guidelines. Not all loan programs are available in all states for all loan amounts. Interest rate and program terms are subject to change without notice. Mortgage, Home Equity and Credit products are offered through U.S. Bank National Association. Deposit products are offered through U.S. Bank National Association. Member FDIC.