Elevate Your Password Security: A Cybersecurity Awareness Month Special

In a digital landscape filled with potential threats, your online security hinges on the strength of your passwords. October is Cybersecurity Awareness Month, making it the perfect time to revisit your password practices and bolster your digital defences. The National Institute of Standards and Technology (NIST), a renowned authority in cybersecurity, offers a comprehensive framework for password security that is pivotal for safeguarding both organisational data and your personal online presence.

The Significance of Strong Passwords

Before we delve into the specifics of NIST’s guidelines, let’s underline the crucial role strong passwords play in the realm of cybersecurity. Passwords are your initial line of defence against unauthorised access to your accounts, personal information, and sensitive data. Weak passwords are like open doors inviting cybercriminals in, while strong passwords act as the locks that keep them out.

NIST’s Password Guidelines for Consumers

NIST’s Special Publication 800-63B, known as the “Digital Identity Guidelines,” furnishes a robust set of recommendations for creating and maintaining secure passwords. Here’s how you can implement these guidelines to fortify your personal online security:

1. Passphrases Over Passwords

NIST emphasises the use of passphrases over conventional passwords. Passphrases, composed of multiple words or a sentence, are longer and easier to remember. For instance, “CoffeeLover$MakeGreatMornings!” is a strong passphrase that is not only secure but also user-friendly.

2. Longer is Better

NIST suggests a minimum password length of 12 characters. Longer passwords offer enhanced security, as they present a more formidable challenge to attackers attempting to crack them. To boost complexity, incorporate a mix of uppercase and lowercase letters, numbers, and special characters. The concept a passphrase comes into its own when combined with this suggestion. Using your favourite sentence from a book can be a great start to a strong password.

3. Avoid Common Words and Patterns

Steer clear of easily guessable passwords. NIST recommends avoiding common words, phrases, and patterns like “123456,” “password,” or “qwerty,” as they are susceptible to dictionary attacks.

This advice from NIST also applies to things like your company name, birthday, names of family members etc.

4. Regular Password Updates

NIST no longer endorses frequent password changes, which can lead to weaker passwords due to predictable patterns (e.g., “password1,” “password2,” and so on). Instead, change your password only when there is a known compromise or if you suspect unauthorised access.

While I admit, this is the most contentious piece of advice in this article, I stand by it. If you have a sufficiently long and complex password, there is no requirement to change the password. Password strength checkers estimate the above password “CoffeeLover$MakeGreatMornings!” would take 13 centuries to crack. A string of 19 random characters with a mix of lower case, upper case, numbers and symbols would take 2 thousand trillion years.

Microsoft Edge, Google Chrome, and Mozilla Firefox all have functionality built into their password managers to alert you to compromised passwords, as do the major password managers on the market.

5. Embrace Multi-Factor Authentication (MFA)

Implementing MFA is strongly encouraged. It adds an additional layer of security by requiring something you know (your password) and something you have (e.g., a mobile app or a hardware token) to access your accounts. Most major services will offer some form of MFA for accounts. And if they don’t, you should strongly consider whether you need to use the service and what kind of data of yours they are storing.

Why is NIST guidance relevant to me?

NIST’s password security guidelines hold crucial significance, not only for organisations, but also for individual consumers, for several compelling reasons:

1. Expertise and Credibility

NIST is a highly respected and authoritative institution in the realm of technology and cybersecurity. Their recommendations are developed by experts who continuously analyse and adapt to the ever-evolving threat landscape.

2. Real-World Testing

NIST’s guidelines are grounded in real-world security testing and research, stemming from a profound understanding of how cyberattacks occur and how to effectively counter them.

3. Ongoing Updates

NIST’s willingness to adapt its guidelines to changing circumstances ensures that their recommendations remain pertinent and effective in the face of emerging threats.

4. Wide Applicability

NIST guidelines aren’t just reserved for government agencies; they are widely used by organisations and individuals around the world. This broad acceptance underscores their practicality and effectiveness.

5. Personal Cyber Resilience

By adhering to NIST’s recommendations, you can significantly bolster your personal cybersecurity stance and enhance your resilience against emerging threats. NIST’s focus on secure, user-friendly practices, such as using passphrases and implementing MFA, positions it as a valuable benchmark for achieving cyber resilience as a consumer.


In conclusion, NIST’s recommendations for password security provide a robust framework to strengthen your personal defences against the ever-evolving digital threat landscape. By adopting the latest guidance outlined in the Special Publication 800-63B, you can fortify your digital identity and maintain cyber resilience. Remember, your password is your first line of defence and NIST’s guidelines set the standard for building a secure fortress in the digital age.

If you are concerned about creating complex passwords you can remember even with the above advice, you may want to look into passwords managers. They all come with various security features and at different price points, but you are guaranteed to find one that meets your needs.

[mailpoet_form id="1"]

Other Recent Blogs

Microsoft Teams IP Phones and Intune Enrollment

Microsoft Teams provides a growing portfolio of devices that can be used as desk and conference room phones. These IP phones run on Android 8.x or 9.x and are required to be enrolled in Intune. By default, these devices are enrolled as personal devices, which is not ideal as users should not be able to enrol their own personal Android devices.

Read More »

Level 9, 360 Collins Street, 
Melbourne VIC 3000

Level 2, 24 Campbell St,
Sydney NSW 2000

200 Adelaide St,
Brisbane QLD 4000

191 St Georges Terrace
Perth WA 6000

Level 10, 41 Shortland Street

Part of

Arinco trades as Arinco (VIC) Pty Ltd and Arinco (NSW) Pty Ltd. © 2023 All Rights Reserved Arinco™ | Privacy Policy | Sustainability and Our Community
Arinco acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.