Password Security Best Practices

Password security sits at the foundation of every access control framework across public and private sector environments. Weak or reused credentials remain among the most exploited attack vectors in data breaches, with the Verizon Data Breach Investigations Report 2023 attributing stolen or compromised credentials to over 49% of breaches analyzed. This page covers the technical definition of password security controls, how credential management mechanisms operate, the scenarios in which failures occur, and the standards-based thresholds that distinguish adequate from inadequate practice. The Cyber Safety Directory provides context for where these standards apply across the service landscape.

Definition and scope

Password security encompasses the policies, technical controls, and procedural requirements governing how authentication credentials are created, stored, transmitted, and retired. Within the broader identity and access management (IAM) discipline, password controls are classified as a subset of authentication assurance — a spectrum running from single-factor password authentication at the lower end to phishing-resistant multi-factor authentication (MFA) at higher assurance levels.

The authoritative US government reference for password guidance is NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, published by the National Institute of Standards and Technology. NIST 800-63B defines three Authenticator Assurance Levels (AAL1, AAL2, AAL3) and establishes specific requirements for memorized secrets — the technical term for passwords and PINs — at each level. AAL2 requires at minimum a second authentication factor alongside the password; AAL3 requires hardware-based authentication.

Scope extends across sectors. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR §164.308(a)(5)(ii)(D)) mandates password management procedures as an addressable implementation specification for covered entities. The Payment Card Industry Data Security Standard (PCI DSS v4.0), maintained by the PCI Security Standards Council, sets minimum password length at 12 characters for new system implementations under Requirement 8.3. Federal civilian agencies operate under NIST SP 800-53 Rev 5 control family IA (Identification and Authentication), which maps directly to the 800-63B assurance levels.

How it works

Password security operates through four discrete control layers:

  1. Creation controls — Enforce minimum length, character set diversity, and prohibition of commonly used or previously breached passwords. NIST 800-63B explicitly discourages mandatory complexity rules (e.g., forced uppercase + symbol combinations) in favor of length requirements and screening against known-compromised password lists. The recommended minimum for memorized secrets is 8 characters for user-selected passwords, with system-generated passwords set at a minimum of 6 characters with higher entropy sources.

  2. Storage controls — Passwords must never be stored in plaintext. The cryptographic standard for storage is salted hashing using memory-hard algorithms — bcrypt, scrypt, or Argon2 are named in current OWASP guidance (OWASP Password Storage Cheat Sheet). MD5 and SHA-1 are explicitly deprecated for password hashing due to computational feasibility of brute-force attacks.

  3. Transmission controls — Credential transmission must occur exclusively over encrypted channels. TLS 1.2 is the minimum acceptable protocol per NIST SP 800-52 Rev 2, with TLS 1.3 preferred for new deployments. Plaintext protocols (HTTP, FTP, Telnet) are incompatible with compliant credential transmission.

  4. Lifecycle controls — Password rotation requirements have been revised significantly in NIST 800-63B. Periodic forced rotation without cause is no longer recommended because evidence showed it produces predictable, weaker passwords (e.g., incrementing numbers appended to a base word). Rotation is required when compromise is known or suspected. Account lockout thresholds — commonly set at 5 to 10 failed attempts — and rate limiting protect against online brute-force attacks.

The interaction between these layers is additive. A strong creation policy is undermined by weak storage; secure storage is irrelevant if transmission is unencrypted.

Common scenarios

Credential stuffing occurs when attacker-held breach databases — containing username/password pairs from prior incidents — are used to attempt login across other services, exploiting password reuse. The HaveIBeenPwned database, maintained by security researcher Troy Hunt, indexed over 12 billion breached accounts as of 2023, illustrating the scale of exposed credential material available to attackers.

Phishing-based credential harvest targets authentication directly rather than attacking stored hashes. Multi-factor authentication reduces, but does not eliminate, this risk — push-based MFA (one-tap approval notifications) remains vulnerable to MFA fatigue attacks, a technique documented in the 2022 Uber breach.

Privileged account compromise represents a distinct risk tier. Administrative and service account credentials, if compromised, expose entire infrastructure layers. The Center for Internet Security (CIS) Controls v8, maintained by the Center for Internet Security, addresses this under Control 5 (Account Management) and Control 6 (Access Control Management), requiring separate credential sets for privileged functions.

Weak default credentials on network-connected devices remain a persistent entry vector. The Mirai botnet, active from 2016 onward, exploited factory-default credentials across IoT devices. The Federal Trade Commission has pursued enforcement actions against device manufacturers under Section 5 of the FTC Act for shipping products with known-weak default authentication. Professionals navigating this sector can reference the Cyber Safety listings for vetted service providers operating in this space.

Decision boundaries

Password security decisions involve tradeoffs between usability and assurance level. The following classification boundaries reflect published standards, not organizational preference:

Password-only authentication (AAL1) is acceptable only for low-impact systems where compromise results in no material harm — NIST 800-63B defines this as systems where identity assurance carries no legal, financial, or safety consequence. Federal systems handling sensitive data cannot operate at AAL1 under OMB Memorandum M-22-09, which mandates phishing-resistant MFA for federal agency staff.

Password + second factor (AAL2) is the baseline requirement for most regulated environments, including HIPAA-covered healthcare portals, PCI-scoped cardholder data environments, and state-regulated financial platforms. AAL2 permits time-based one-time passwords (TOTP), hardware OTP tokens, and push-based authenticators as the second factor — but not SMS OTP for high-risk contexts, which NIST 800-63B classifies as a restricted authenticator.

Phishing-resistant MFA (AAL3) is required for privileged access to federal systems under M-22-09, covering network infrastructure access and all agency administrator accounts. FIDO2/WebAuthn and PIV/CAC hardware tokens are the recognized implementation paths at AAL3.

The contrast between complexity-based and length-based password policies is operationally significant. Complexity-based policies (mandatory symbols, case mixing, numbers) consistently produce shorter passwords with predictable substitution patterns (@ for a, 3 for e). Length-based policies allowing passphrases of 15 or more characters produce higher entropy without increasing user cognitive burden — a finding that drove the NIST 800-63B revision away from legacy complexity mandates. Organizations still enforcing 90-day rotation with complexity rules without a compensating control are operating outside current federal guidance.

For professionals assessing how these controls map to specific service environments or compliance requirements, the how to use this cyber safety resource page describes the scope and structure of listings available through this directory.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified... How to Use This Cyber Safety Resource The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page...