Password and Login Management

Take Notice... the Federal Guidelines have Changed!

Published on

In June 2017, the National Institute of Standards and Technology (NIST) issued new guidelines related to passwords and management of user logins.  These new guidelines contained some surprising new recommendations and, in some cases, reversed prior guidelines or commonly accepted security practices.  Although HIPAA has not issued a specific endorsement of the new NIST standards, they have generally adopted NIST recommendations, where they apply.  

The complete standard can be found at, but we have included the following summary:

What Has Changed:

Passwords should be longer
  • 8 character passwords is the absolute minimum; 10-12 characters or longer is recommended
  • Passwords up to 64 characters should be allowed
  • Does not necessarily increase password strength
  • Makes it harder for users to choose “memorable” passwords
  • May also prevent users from choosing memorable passwords
  • Only require a change if there is suspicion that a password has been compromised
  • Thanks to social media, these are often easily guessed.
Password selection software should not allow “obvious” passwords:
  • Common words, words related to the user, repeated letters, numeric 
    sequences, etc. (e.g, “password123”, “johnsmith”, or “abcabcabc”)
Login software should include features to prevent brute force attacks:
  • Delays between login attempts
  • Lock account after a number of failed attempts

Two-factor authentication, where users must also enter a code they receive via a text message, email or a hardware device, is encouraged to strengthen user authentication.


  • User IDs and passwords should uniquely identify a user
  • Passwords should never be transmitted or stored without being encrypted

CompliancePro Solutions recommends that all healthcare organizations managing ePHI should consider adopting these new guidelines.