MS-ISAC Security Primer – Organizational Password Best Practices

The MS-ISAC recommends organizations establish a standard for the creation, maintenance, and storage of strong passwords. There are currently two approaches an organization should review when implementing a password policy. The first is to follow all guidelines provided by the National Institute of Standards and Technology’s (NIST) password recommendations, as listed in Special Publication (SP) 800-63B, Section If an organization is unable to follow NIST SP 800-63B due to budgetary or technological constraints, the MS-ISAC recommends the following while working towards the NIST standard.


  • Implement complexity rules that:
    • Allow for a minimum password length of 14 characters.
    • Force passwords to contain uppercase and lowercase letters, numbers 0 through 9, and non-alphanumeric characters.
    • Do not allow repetitive or sequential characters (e.g. ‘aaaaaa’, ‘abc123’).
    • Do not allow context-specific words, including usernames and their derivatives.

To calculate the entropy (strength) of a password, the character set is raised to the power of the password length. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols
available on the average keyboard. A computer can guess over 1 billion passwords per second.

Characters 8 characters 9 characters 10 characters 11 characters 12 characters
All 70 days 18 years 1,707 years 169,547 years 15,091,334 years
lowercase only 208 seconds 90 minutes 39 hours 42 days 3 years


  • Implement two- or multi-factor authentication to be used in conjunction with a password:
    • something you have (e.g. mobile phone to receive text messages, a physical key, etc.);
    • something you are (e.g. biometrics such as a fingerprint); or
    • someplace you are (e.g. GeoIP).
  • Password policies should enforce:
    • a maximum password age of between 30 and 90 days;
    • a minimum password age in conjunction with a password history to limit password reuse. Without a minimum password age enforcing a password history is not effective.
    • acceptance of all Unicode characters and spaces.
  • Educate employees on password best practices.


  • Do not store passwords using reversible encryption. Passwords should be stored assuming eventual compromise, as salted one-way key derivation functions.

The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24×7 cybersecurity assistance is available at 866-787-4722, [email protected]. The MS-ISAC is interested in your comments – an anonymous feedback survey is available.