Female Rep 3


 "Quality is Job One"

Have IT Questions?
Call us now (888) 894-6411

TWINTEL Solutions Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TWINTEL Solutions are here to help. Call us today at (888) 894-6411 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, November 20 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!


Our 10 Benefits

Our 10 Benefits Whitepaper

This whitepaper will evaluate the differences between traditional technical support practices and modern managed IT practices and the pros and cons of both in regards to small and medium-sized businesses.

Download Now!   Need A Consultation?

Tag Cloud

Security Tip of the Week Best Practices Technology Cloud Privacy Hackers Network Security Business Computing Backup Malware Hosted Solutions Mobile Devices Data Google VoIP Microsoft Business Disaster Recovery roundup Email nonprofit Software bgc Business Continuity Alert Innovation Internet Managed IT Services communications Hardware Outsourced IT IT Services Smartphones Windows 10 User Tips Managed IT Services Browser Data Backup Tech Term Saving Money Ransomware Computer Server Cybercrime Data Recovery Efficiency Cloud Computing Android Business Management Small Business Workplace Tips Network BDR Smartphone Computers Internet of Things IT Support Productivity Office IT Support Miscellaneous Windows Passwords Quick Tips Communication Save Money Productivity Applications Cybersecurity Telephone Systems BYOD Managed IT Chrome Artificial Intelligence Recovery Money Social Engineering Mobile Device Management Collaboration Social Media Upgrade Law Enforcement Hacking Facebook Firewall Phishing Mobility Windows 10 Work/Life Balance Gadgets Virtualization Vulnerability Health Remote Monitoring Automation Microsoft Office How To Managed Service Provider Information Compliance Budget Data Protection Flexibility VPN Proactive IT App Router Office Tips Wi-Fi Private Cloud Two-factor Authentication Avoiding Downtime Bring Your Own Device Password Bandwidth Holiday Office 365 Business Intelligence Scam Redundancy Mobile Computing Value Word HaaS Spam Safety Google Drive Connectivity Information Technology Apps Mobile Device History Black Market Data Breach Keyboard Remote Computing Data Security Operating System Servers Identity Theft Sports Document Management Charger Settings Infrastructure Paperless Office Credit Cards WiFi Electronic Medical Records Legal Save Time Wireless Technology HIPAA Government Windows 7 Fraud PDF YouTube Worker Risk Management Computing Infrastructure Employer-Employee Relationship Solid State Drive Spam Blocking Unsupported Software CES Automobile Marketing Unified Threat Management Data Storage Website SaaS Encryption Managed Service Hiring/Firing Cleaning USB Content Management Data Management IT Management Voice over Internet Protocol Physical Security The Internet of Things Training Workers Battery Content Filtering Entertainment Software as a Service Computer Care Comparison Blockchain Virtual Assistant IT Plan Patch Management Business Owner OneNote Emergency End of Support Update Samsung Big Data Data storage Telephone System Trending Downtime eWaste Password Management Techology Supercomputer Flash Evernote Wireless NarrowBand Nanotechnology Camera Television CrashOverride Windows Server 2008 Reputation Advertising Practices Augmented Reality Bluetooth Netflix Screen Mirroring Addiction Shadow IT Audit Books Outlook Millennials Monitor Colocation Staff Regulation Leadership Hard Drives Data Warehousing Lifestyle Robot Going Green Criminal NIST Transportation Current Events Sync Wireless Charging Smart Tech Printers Instant Messaging Cast Google Docs Password Manager Machine Learning Public Computer Users Customers Hosted Computing Remote Worker Cache Loyalty Computer Fan Hosted Solution Workforce Digital Signature Best Practice Content Mobile Relocation Search Files Cryptocurrency Benefits Microchip Knowledge Telephony Fiber-Optic Warranty Business Mangement HVAC Virtual Reality Regulations Amazon Inventory Wiring Rootkit Politics Wireless Internet FENG Frequently Asked Questions Telecommuting Hacker Audiobook Professional Services Humor How to Windows 10s Software Tips Safe Mode Smart Technology Search Engine Network Congestion Skype Cables Devices Printer Apple Gmail Networking Worker Commute Amazon Web Services Access Control Cortana Wire Excel Remote Work Internet Exlporer Accountants MSP Employer Employee Relationship Video Games webinar Meetings Public Cloud Troubleshooting Laptop Two Factor Authentication Bing Start Menu Unified Communications Chromecast Thought Leadership Mouse Multi-Factor Security iPhone Recycling Enterprise Content Management IBM Online Shopping Authentication Vendor Management Scalability Experience Google Apps Smart Office Assessment Education Tip of the week File Sharing Computer Accessories Conferencing Data loss Twitter Administrator HBO Specifications User Error Touchpad Human Resources Help Desk IT Consultant Tools Theft nonprofits Thank You Congratulations GDPR E-Commerce