New NIST recommendation: Check every password against a blacklist

Ensuring that your system is secure and that your user’s credentials are protected is the responsibility of your cybersecurity team. One way to do that is to comply with the new NIST password guidelines and best practices of 2020.

The NIST Password Guidelines(NIST Special Publication 800-63B) are part of the NIST’s digital identity guidelines, officially published in 2017 but updated in 2020. They are used as protection policies by many cybersecurity teams in organizations to ensure that their user data are attack-proofed.

One such recommendation in the NIST Special Publication is the practice of checking every password against a blacklist. This is a great policy to implement in your organization as it ensures that passwords in your database have some level of security from the get-go.

Why is Checking Passwords Against Blacklists a Good Practice?

Even though internet users believe they need to protect their personal data online, only about a half are taking measures to keep their passwords secure and hard to crack. This leaves nearly half of the users in your current directory with weak passwords that cybercriminals can use to access your backends.

In 2022, you’d be surprised that people are still setting weak strings such as 123456 as their password… The list below shows the top most commonly used passwords today.

  • 123456
  • 123456789
  • qwerty
  • password
  • 12345
  • qwerty123
  • 1q2w3e
  • 12345678
  • 111111
  • 1234567890

Checking users' passwords at the point of creation against a list of some of these weak choices ensures that these passwords don’t end up in your database as well, making your users' data susceptible to unauthorized access via dictionary attacks.

Dictionary attacks capitalize on these easy-to-guess passwords by mixing and matching users' names, birthdays, and digits such as 123. Combining these with weak systems, such as those that don’t limit login attempts, can have these bots finding valid credentials within minutes.

However, even with systems that take a more intentional approach to data protection, other types of attacks still manage to use these passwords to gain access by employing the spray approach.

Things to Prioritize When Checking Your Users’ Passwords

When creating a system for checking your user’s passwords, there are several bases you need to cover to have a truly effective password-checking system that boosts the security of your platform. These include:

  • Easy to guess passwords
  • Commonly used passwords
  • Directory of past breaches

1. Easy-to-Guess Passwords

Your system should be able to detect passwords that are easier for anyone to guess and prohibit their use. These passwords include dictionary words, birth years, common events, locations, etc.

Other things to check for in this case are sequential strings such as 123 as prefixes or suffixes to another generic passphrase. For instance, password123, password24, jane2010 etc.

2. Commonly Used Passwords

Another suite of words to check for are from the lists of commonly used passwords. Let your team design a system that checks for some of the most common passwords and blacklist them so that users may not use them when creating accounts.

This is crucial since hackers often use these loopholes to guess login credentials pretty easily.

The system you use should also prohibit password variation based on the main keyphrase. So, anything containing the word password or qwerty shouldn’t be allowed.

If your system integrates with a blacklist-checking service like, then a red button shows up alerting users that the password they want to use has been compromised before, and so they should come up with another.

3. List of Past Breaches

If a password has been compromised before, it means that the hackers and anyone whom they sold the breached data to, still have access, so creating new accounts that utilize the same password could put these new accounts in jeopardy through credentials stuffing.

The use of compromised passwords is what led to the data breach on Zoom’s 500,000 accounts.

Abiding with the new NIST recommendation of checking every password against a blacklist helps businesses like yours from finding themselves in similar situations.

Designing your own systems to do this for your organization’s directories can be quite costly and difficult to maintain.

Luckily, there are services you can integrate with your platform, and they will do the checking for you automatically as the user enters the password when creating or resetting their accounts.

Password Leak Check in Active Directories

To help you implement this new NIST password management best practice, we built a password blacklist service for you. All you have to do is work with your tech team to integrate our API. To get started, visit

You can test the tool for free without creating an account. Simply enter a weak password from the commonly used list and press Check Password. If it is a compromised password, the amber circle will turn red. Otherwise, it would turn green. When a user attempts to use a passphrase that exists in our list of 300M plus compromised passwords, they’ll see the red alert.

  • Even Better Passwords

You can check your own passwords as well. Chances are that they will turn green since you’ve taken the appropriate measures to secure your data.

To implement our Password blacklist checking tool into your system, get a plan and integrate our API following our detailed documentation with the help of our support staff at your disposal.

By checking your user’s passwords from the point of account creation, you ensure that your active directory only has secure passwords.

Password Leak Check in Active Directories

Now that you’ve implemented this NIST recommendation, the next thing you want to do is to ensure that you put systems in place to make your user’s data even more secure. Having a database of passwords that have never been hacked before doesn’t future proof it from the next threats. There are several other cyber attacks besides credential stuffing.

Some other critical NIST password recommendations include enabling 2-factor authentication. This way, your users can prove their identity by using a second verification method such as phone notification, SMS etc. This makes it harder for hackers to spoof since it often requires a sort of device that the user must have physical access to at the time of the request.