FBI and NIST Password Best Practice Article

Marc Moderator, Beta Tester Posts: 3,159
250 Answers 1,000 Likes 2500 Comments 250 Awesomes
I nice read with some good recommendations on using stronger passwords... Read here


"Here are the recommendations from NIST for your organization:

  • Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.
  • Only require password changes when there’s a reason to believe your network has been compromised.
  • Have your network administrators screen everyone’s passwords against lists of dictionary words and passwords known to have been compromised.
  • To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
  • Don’t allow password “hints.” "

Thats Daphnee, she's a good dog...


  • Carlo_from_Fing
    Carlo_from_Fing Rome, ItalyAdministrator, Fing Team Posts: 247
    100 Likes 100 Comments 5 Answers 25 Awesomes
    Interesting... it's not 100% aligned with current standards, like the annoying one of expiring passwords, which in most cases becomes new_password = old_password + '1' :smiley:

    Carlo from Fing

  • Marc
    Marc Moderator, Beta Tester Posts: 3,159
    250 Answers 1,000 Likes 2500 Comments 250 Awesomes
    @Carlo_from_Fing, I wish there was a universal cross platform way of doing biometrics. I did read that Microsoft was also suggesting eliminating expiring passwords.  Here...
    Thats Daphnee, she's a good dog...
  • OKC
    OKC Member, Beta Tester Posts: 75
    5 Answers 10 Comments First Anniversary 5 Agrees
    edited March 6, 2020 #4
    interesting thread. I found something while searching for @Sweetiepie and came up with this;
    I thought it was another folklore but it appears that there is some merit to it. I could see this being abused.

    [Deleted User]
  • The user and all related content has been deleted.
  • AustinJerry
    AustinJerry Member Posts: 108
    Third Anniversary 25 Likes 10 Comments Name Dropper
    I have been using a password manager for years now (LastPass).  The app is installed on my desktop PC, my laptop, and all of my iOS mobile devices.  It allows me to generate and store random, complex, and unique passwords of a specified length (I use 20 characters) for everything that requires a password—web sites, networks, etc.  it provides strong security and eliminates the complexity of having to remember passwords.  It also will run a “security check” for all of the stored passwords, identifies password strength or weakness, and provides the date when the password was last changed.  I have the password manager app set up for two-factor authentication on all the mobile devices to protect access in case the device is lost.  Highly recommended.  I can’t imagine not using a password manager.
    Fingbox owner from the beginning