Female Rep1

 

 "99% Positive Customer Satisfaction Rate"

Have IT Questions?
Call us now (888) 894-6411

Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TWINTEL Solutions are here to help. Call us today at (888) 894-6411 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, September 21 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code

Our 10 Benefits

Our 10 Benefits Whitepaper

This whitepaper will evaluate the differences between traditional technical support practices and modern managed IT practices and the pros and cons of both in regards to small and medium-sized businesses.

Download Now!   Need A Consultation?

Tag Cloud

Security Tip of the Week Best Practices Cloud Privacy Technology Business Computing Hackers Network Security Backup Malware Hosted Solutions Mobile Devices Google Microsoft VoIP roundup nonprofit Disaster Recovery Software Email Data bgc Managed IT Services Alert Innovation Internet Business Outsourced IT Business Continuity Smartphones Tech Term communications Windows 10 Hardware IT Services Saving Money Ransomware Data Backup Server Browser Cybercrime Managed IT Services Android Small Business Efficiency Internet of Things IT Support Computer Computers Cloud Computing Quick Tips Business Management Productivity Data Recovery Network Windows BDR Office Passwords User Tips Smartphone Save Money Artificial Intelligence Managed IT Money Communication Social Engineering Telephone Systems Cybersecurity BYOD IT Support Recovery Miscellaneous Applications Mobile Device Management Productivity Vulnerability Firewall Mobility Work/Life Balance Social Media Phishing Virtualization Workplace Tips Collaboration Hacking Gadgets Upgrade Law Enforcement Facebook Router Flexibility Budget Office Tips Automation Avoiding Downtime Managed Service Provider App How To Health Compliance Wi-Fi Password VPN Holiday Microsoft Office Chrome Proactive IT Office 365 Remote Monitoring Private Cloud Bring Your Own Device Bandwidth Windows 10 Two-factor Authentication Data Protection History Sports Black Market Mobile Computing Operating System Mobile Device Apps Data Security Value Safety Redundancy Identity Theft Connectivity Business Intelligence Word Remote Computing Google Drive Data Breach Information Technology HaaS Data Storage Website Risk Management Patch Management Physical Security OneNote Automobile Samsung Scam IT Management Charger Settings Infrastructure Paperless Office Wireless Technology Electronic Medical Records Data Management End of Support YouTube Comparison USB Data storage IT Plan Keyboard Servers Update Worker Entertainment Battery Content Filtering Employer-Employee Relationship Information Business Owner Unified Threat Management Spam Blocking CES Credit Cards Emergency Managed Service Hiring/Firing PDF The Internet of Things SaaS Big Data Government Encryption Document Management Computing Infrastructure Cleaning Solid State Drive Content Management Training Workers Marketing Windows 7 Legal Spam Save Time Unsupported Software Computer Care HIPAA Blockchain Virtual Assistant Users Authentication Touchpad Vendor Management Recycling Enterprise Content Management Regulations Amazon IBM File Sharing Professional Services Computer Accessories Conferencing Best Practice Content Google Apps Smart Office NarrowBand Frequently Asked Questions Telecommuting Assessment Hosted Solution Apple Cables IT Consultant Internet Exlporer Twitter Software Tips Search Human Resources Telephone System Skype Supercomputer Virtual Reality Nanotechnology Camera Voice over Internet Protocol Politics eWaste Password Management Amazon Web Services Practices Augmented Reality Going Green Meetings Software as a Service Bluetooth Netflix Audiobook Excel Remote Work Television CrashOverride iPhone Start Menu Unified Communications Leadership Addiction Audit How to Staff Regulation Transportation Current Events Worker Commute User Error Smart Tech Multi-Factor Security Criminal NIST Online Shopping Downtime Hosted Computing Remote Worker Data loss Video Games Wireless Password Manager Machine Learning Tip of the week Public Computer Tools Theft Reputation Advertising Cache HBO Specifications Loyalty Computer Fan Troubleshooting Digital Signature Benefits Knowledge Monitor Colocation Trending Scalability Experience Hard Drives Cryptocurrency Flash Evernote Robot Inventory Wiring Screen Mirroring WiFi Rootkit Business Mangement HVAC Windows Server 2008 Education Customers Wireless Internet Outlook Millennials FENG Smart Technology Network Congestion Techology Devices Data Warehousing Lifestyle Windows 10s Relocation Safe Mode Sync Wireless Charging Files Access Control Laptop Cast Google Docs Gmail Networking Chromecast Fraud Accountants MSP Mobile Employer Employee Relationship webinar Cortana Wire Workforce Shadow IT Books Two Factor Authentication Hacker Thought Leadership Public Cloud Instant Messaging Humor Telephony Fiber-Optic E-Commerce Printers Thank You Congratulations GDPR nonprofits