Free EditionThe NIST password guidelines, as outlined in Special Publication (SP) 800-63B by the National Institute of Standards and Technology (NIST), are designed to enhance password strength. Since 2014, NIST password standards have been revised almost every year, taking insights from password cracking experts, vulnerable password practices, hacker behavior, and previous password breaches. This makes NIST standards the most influential, recommended standard for password creation. A NIST-compliant password is tough to crack yet simple to use.
NIST SP 800-63B extends beyond password best practices, also providing brief guidelines for the authentication and management of digital identities. The following table lists NIST's authenticator and verifier requirements found in SP 800-63B and how ADSelfService Plus can aid your organization in achieving compliance with these requirements.
| NIST requirement | Requirement description | How ADSelfService Plus helps meet the requirement |
| Section 5.1.1.1 | A memorized secret, i.e., a password, passphrase, or PIN, must have a minimum of eight characters. | With ADSelfService Plus' Password Policy Enforcer, you can customize the minimum password length to be eight characters or more, depending on your organization's requirement. You can also customize the maximum password length as necessary. |
| Section 5.1.1.1 | All American Standard Code for Information Interchange (ASCII) characters, including the space character, and Unicode characters should be accepted by verifiers in memorized secrets. | ADSelfService Plus allows you to configure the number of special, Unicode, numeric, uppercase, and lowercase characters that users must include in their passwords. You can also configure the character type with which a password must begin. |
| Section 5.1.1.1 | The default verifier-supplied memorized secrets should have a minimum length of six characters and be generated using an approved random bit generator. | ADSelfService Plus uses a random bit generator to auto-generate passwords with a default minimum length of seven characters. |
| Section 5.1.1.1 | Users should not be given hints by verifiers to assist them in recalling their memorized secret. | ADSelfService Plus does not provide password hints for users during identity verification. |
| Section 5.1.1.1 | Users' memorized secrets should not contain previously breached secrets, dictionary words, repetitive or sequential characters (e.g., aaaaaa, 1234abcd), and context-specific words, such as the name of the service, the username, and derivatives thereof. Verifiers must prompt users to choose a different secret if any of these conditions is satisfied. | ADSelfService Plus allows you to restrict users from utilizing dictionary words, palindromes, predictable patterns, repeated characters, and consecutive characters from usernames and old passwords while setting new passwords. By integrating with Have I Been Pwned?, a breached password database, it ensures that your users do not set weak or compromised passwords during password resets and changes. |
| Section 5.1.1.1 | Verifiers should offer a password-strength meter to assist users in choosing strong memorized secrets. | ADSelfService Plus provides a Password Strength Analyzer that offers instant visual feedback on password strength when users change or reset their passwords. |
| Section 5.1.1.1 | Memorized secrets should not be changed periodically unless there is evidence of a compromise of the secret. | ADSelfService Plus does not encourage frequent or periodic end-user password change. However, admins can trigger an automatic password reset action for users with potentially compromised passwords. |
| Section 5.1.1.1 | Users should be permitted to utilize the paste functionality while entering a memorized secret, which facilitates the use of password managers, increasing the likelihood that users will choose stronger memorized secrets. | With ADSelfService Plus, you can allow or prevent users from using copy and paste functions in the password fields. |
| Section 5.1.1.1 | In order to assist users in successfully entering a memorized secret, verifiers should offer an option to display the secret—rather than a series of dots or asterisks—until it is entered. | ADSelfService Plus gives users the option to view their passwords while it is being entered. |
| Section 5.2.2 | To protect against online guessing attacks, consecutive failed authentication attempts on a single account should be limited to no more than 100. | ADSelfService Plus allows you to configure the number of failed logon attempts that are allowed for a user within a specified time and the lockout duration. |
| Section 5.2.2 | To reduce the likelihood that an attacker will lock a legitimate user out of their account, a CAPTCHA should be completed before attempting authentication. | ADSelfService Plus allows you to show or hide a CAPTCHA before a user attempts authentication. |
| Section 5.2.2 | To reduce the likelihood that an attacker will lock a legitimate user out of their account, risk-based or adaptive authentication techniques should be employed, which include use of IP address, geolocation, timing of request patterns, or browser metadata. | ADSelfService Plus provides conditional access policies that automatically provide additional MFA methods as configured for suspicious access requests based on users' IPs, geolocations, time of access, and devices used. |
| Section 5.2.3 | For certain security limitations identified and mentioned in this section, biometrics should be used only as part of MFA alongside a physical authenticator (something you have) and not as a stand-alone authenticator. | ADSelfService Plus allows you to configure a biometric authenticator alongside other authenticators, including YubiKey, TOTPs, and smart cards. |
| Section 5.2.3 | No more than five consecutive failed authentication attempts should be allowed for the biometric authenticator. | ADSelfService Plus allows you to configure the number of failed logon attempts that are allowed for a user within a specified time. |
| Section 5.2.3 | In case of five consecutive failed biometric authentication attempts, a delay of at least 30 seconds before the next attempt should be imposed or the biometric authenticator should be disabled entirely. | ADSelfService Plus allows you to configure the account lockout duration in case of a failed biometric authentication attempt. |
| Section 5.2.5 | To resist phishing and MITM attacks, verifier impersonation-resistant authentication mechanisms should be deployed. | ADSelfService Plus provides a phishing- and MITM-resistant FIDO passkeys authenticator, which repels all verifier impersonation attempts with its public key cryptography technology. |
| Section 5.2.8 | To resist replay attacks, replay-resistant authentication mechanisms should be deployed. | ADSelfService Plus provides the FIDO passkeys authenticator, which resists replay attacks with its public key cryptography technology. |
Furthermore, NIST classifies authentication mechanisms into three categories and calls them Authenticator Assurance Levels (AAL): AAL1, AAL2, and AAL3. Click here to learn more about AALs and how they differ from each other.
ADSelfService Plus offers Password Policy Enforcer, Access Policy, and MFA capabilities to help your organization meet NIST password and authentication requirements.
The Password Policy Enforcer allows you to enforce a custom password policy that seamlessly integrates with the built-in AD password policies, providing more granular control. ADSelfService Plus' password policies can be set to enforce the following requirements:
These settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.
Satisfy the NIST password requirements by configuring the inclusion of alpha-numeric characters in passwords.
Satisfy the NIST password requirements by configuring the inclusion of alpha-numeric characters in passwords.
These settings help restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.
Restrict users from re-using their previous passwords during password creation.
Restrict users from re-using their previous passwords during password creation.
The settings under this tab help restrict custom dictionary words, patterns, and palindromes that might be commonly used.
Restrict users from using common patterns, dictionary words, and palindromes in their passwords.
Restrict users from using common patterns, dictionary words, and palindromes in their passwords.
These rules let you set both a minimum and maximum number of characters for the password.
Configure the minimum and maximum password length to satisfy the NIST password guidelines.
Configure the minimum and maximum password length to satisfy the NIST password guidelines.
ADSelfService Plus allows you to define any number of self-service policies in a given domain. These policies can be configured as shown below so that your organization meets NIST guidelines for passwords.
Enable the Password Strength Analyzer to help users with password creation by displaying the strength of the password.
Enforce AD password history settings during password resets to restrict the repetition of passwords.
Enable the Password Strength Analyzer to help users with password creation by displaying the strength of the password.
Enforce AD password history settings during password resets to restrict the repetition of passwords.
Provide CAPTCHA code verification for user logins to provide added security.
Provide CAPTCHA code verification for user logins to provide added security.
Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.
Restrict the number of times users can reset their passwords using self-service.
Set the maximum number of times users can fail at identity verification, after which they get blocked automatically.
Restrict the number of times users can reset their passwords using self-service.
ADSelfService Plus offers MFA for applications, both cloud-based and on-premises, and endpoints. It helps you reduce surface attacks and protects your business by mandating a higher level of identity assurance.
Reasons why your organization needs ADSelfService Plus' MFA support:
Secure user access to all endpoints in your network, like machines, VPNs, OWAs, and applications, using MFA.
Secure user access to all endpoints in your network, like machines, VPNs, OWAs, and applications, using MFA.
Pick the number and type of MFA methods that your users must authenticate with to gain access to resources.
Pick the number and type of MFA methods that your users must authenticate with to gain access to resources.
Choose from 20 different authenticators to verify your users' identities.
Set up different MFA flows for different groups or departments in your organization.
Choose from 20 different authenticators to verify your users' identities.
Set up different MFA flows for different groups or departments in your organization.
Augment your business's cyberdefense with ADSelfService Plus, a one-size-fits-all solution that helps your employees adopt best practices for passwords.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
