FBI and NIST Password Best Practice Article

MarcMarc Moderator, Beta Tester Posts: 2,153
100 Answers 1000 Comments 500 Likes 250 Agrees
I nice read with some good recommendations on using stronger passwords... Read here


"Here are the recommendations from NIST for your organization:

  • Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.
  • Only require password changes when there’s a reason to believe your network has been compromised.
  • Have your network administrators screen everyone’s passwords against lists of dictionary words and passwords known to have been compromised.
  • To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
  • Don’t allow password “hints.” "

Thats Daphnee, she's a good dog...


  • Carlo_from_FingCarlo_from_Fing Rome, ItalyAdministrator, Fing Team Posts: 247
    100 Likes 100 Comments 5 Answers 25 Awesomes
    Interesting... it's not 100% aligned with current standards, like the annoying one of expiring passwords, which in most cases becomes new_password = old_password + '1' :smiley:

    Carlo from Fing

  • MarcMarc Moderator, Beta Tester Posts: 2,153
    100 Answers 1000 Comments 500 Likes 250 Agrees
    @Carlo_from_Fing, I wish there was a universal cross platform way of doing biometrics. I did read that Microsoft was also suggesting eliminating expiring passwords.  Here...
    Thats Daphnee, she's a good dog...
  • OKCOKC Member, Beta Tester Posts: 73
    5 Answers 10 Comments First Anniversary 5 Agrees
    edited March 2020
    interesting thread. I found something while searching for @Sweetiepie and came up with this;
    I thought it was another folklore but it appears that there is some merit to it. I could see this being abused.

  • CiaranCiaran Administrator Posts: 1,092
    1000 Comments 250 Likes 50 Answers 100 Awesomes
    Yes, @OKC, I agree...of course it could be used for so much positive reasons, but as with many things throughout history, could easily be used and abused :pensive:
    Ciaran (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides("Helping Hand"). HAPPY POSTING!!!
  • AustinJerryAustinJerry Member Posts: 72
    25 Likes 10 Comments First Anniversary 5 Agrees
    I have been using a password manager for years now (LastPass).  The app is installed on my desktop PC, my laptop, and all of my iOS mobile devices.  It allows me to generate and store random, complex, and unique passwords of a specified length (I use 20 characters) for everything that requires a password—web sites, networks, etc.  it provides strong security and eliminates the complexity of having to remember passwords.  It also will run a “security check” for all of the stored passwords, identifies password strength or weakness, and provides the date when the password was last changed.  I have the password manager app set up for two-factor authentication on all the mobile devices to protect access in case the device is lost.  Highly recommended.  I can’t imagine not using a password manager.
    Fingbox owner from the beginning
Sign In or Register to comment.