Male Rep3


 "IT Solutions to Advance your Company"

Have IT Questions?
Call us now (888) 894-6411

TWINTEL Solutions Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TWINTEL Solutions are here to help. Call us today at (888) 894-6411 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, February 20 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!


Our 10 Benefits

Our 10 Benefits Whitepaper

This whitepaper will evaluate the differences between traditional technical support practices and modern managed IT practices and the pros and cons of both in regards to small and medium-sized businesses.

Download Now!   Need A Consultation?

Tag Cloud

Security Tip of the Week Best Practices Technology Cloud Privacy Business Computing Hackers Network Security Hosted Solutions Backup Malware Mobile Devices Google Data VoIP Microsoft Disaster Recovery Business bgc communications Email roundup Internet nonprofit Software Business Continuity Alert User Tips Innovation IT Services Managed IT Services Outsourced IT Hardware Smartphones Tech Term Data Backup Productivity Windows 10 Managed IT Services Browser Data Recovery Saving Money Smartphone Efficiency Cloud Computing Ransomware Computer Server Android Workplace Tips IT Support Cybercrime Internet of Things Business Management Small Business Communication Network BDR Computers IT Support Productivity Miscellaneous Cybersecurity Quick Tips Windows Artificial Intelligence Passwords Save Money Office Holiday Applications Telephone Systems BYOD Managed IT Chrome Router Money Recovery Social Engineering Mobile Device Windows 10 Mobility Gadgets Mobile Device Management Social Media Virtualization Office 365 Automation Collaboration Upgrade Law Enforcement Hacking Facebook Phishing Firewall Proactive IT Private Cloud Health Wi-Fi Work/Life Balance Vulnerability Microsoft Office Remote Monitoring Information How To Google Drive Managed Service Provider Compliance Budget Flexibility VPN Office Tips Word Avoiding Downtime App Two-factor Authentication Bring Your Own Device Data Protection Bandwidth Password Settings Scam Mobile Computing Voice over Internet Protocol Value Software as a Service Connectivity Data Security Servers Information Technology Encryption Managed Service HaaS Save Time Safety Identity Theft History Black Market Business Intelligence Operating System Apps Data Breach Remote Computing Spam Keyboard Redundancy Sports Emergency Charger Government Big Data PDF IT Management Machine Learning Computing Infrastructure Document Management Electronic Medical Records Solid State Drive Wireless Technology CES Marketing Comparison IT Plan Legal YouTube Worker HIPAA Hacker Update Employer-Employee Relationship Content Management Unified Threat Management Spam Blocking Risk Management Access Control Physical Security Credit Cards SaaS WiFi Automobile Hiring/Firing Blockchain Cleaning Virtual Assistant The Internet of Things Training Workers Windows 7 Fraud USB End of Support Google Docs Data Management Human Resources Computer Care Telephone System Data storage Telephony Battery Content Filtering Patch Management Unsupported Software Entertainment OneNote Data Storage Website Infrastructure Paperless Office Samsung Business Owner NIST Robot Skype Cables Education Smart Tech Supercomputer Printers Employee Software Tips NarrowBand Criminal Amazon Web Services Hosted Computing Television Remote Worker CrashOverride Customers Vendor Password Manager Bluetooth Netflix Digital Signature Audit Search Engine Meetings Techology Cache Leadership Relocation Excel Remote Work Cryptocurrency Files Start Menu Unified Communications Transportation Going Green Current Events Warranty Digital Signage Online Shopping Shadow IT Books Inventory Public Computer Wiring Display Multi-Factor Security Business Mangement HVAC Instant Messaging Loyalty Computer Fan Bing Data loss Wireless Internet Humor Tip of the week Safe Mode Tools Theft Users Benefits Devices Knowledge Printer Google Search HBO Specifications Apple Flash Evernote Hosted Solution Security Cameras Trending Best Practice Content Gmail Rootkit Networking Search Accountants MSP FENG Internet Exlporer Help Desk Screen Mirroring Cortana Wire Windows Server 2008 Windows 10s Virtual Reality Smart Technology Thought Leadership Network Congestion Mouse Net Neutrality Outlook Millennials Politics iPhone Sync Wireless Charging Authentication Botnet Data Warehousing Lifestyle Audiobook Recycling Enterprise Content Management How to File Sharing Shortcuts Cast Google Apps Employer Employee Relationship Smart Office webinar Chromecast Public Cloud User Error Mobile Worker Commute Two Factor Authentication Laptop Twitter Administrator ISP Workforce Downtime Fiber-Optic Nanotechnology IBM Camera Wireless Smartwatch Video Games eWaste Vendor Management Password Management Regulations Amazon Troubleshooting Practices Assessment Augmented Reality Reputation Advertising Social Computer Accessories Conferencing Staff Regulation Monitor Colocation Microchip Professional Services Touchpad Addiction IT Consultant Hard Drives Frequently Asked Questions Telecommuting Scalability Experience nonprofits GDPR Thank You E-Commerce Congratulations