Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Infracore LLC are here to help. Call us today at (858) 509-1970 to have your password strategy assessed by the professionals.

Comic by XKCD.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, August 16 2018

Captcha Image

Tag Cloud

Tip of the Week Security Technology Privacy Best Practices Cloud Google Business computing Microsoft Software Malware Network Security Backup Hackers Windows 10 Data Internet Tech Term Hardware Innovation Smartphones Hosted Solutions Business Email Android VoIP Managed IT Services Small Business Alert Browser Business Continuity Ransomware Outsourced IT Computers Disaster Recovery User Tips Business Management Data Backup Computer Smartphone Cloud Computing Office Mobile Devices Law Enforcement Cybercrime Miscellaneous Communications Productivity Efficiency IT Services Managed IT Services Social Media Telephone Systems Password Facebook Virtualization How To Collaboration Cybersecurity Windows Chrome Productivity Network Money Data Recovery Artificial Intelligence Passwords Router App Internet of Things Social Engineering Gadgets Office 365 Quick Tips Upgrade Work/Life Balance Health Communication Microsoft Office Private Cloud Hacking Bring Your Own Device Vulnerability Wi-Fi Spam Holiday Windows 10 Applications Google Drive Automation Data Protection Mobile Device Management Saving Money Workplace Tips Apps Two-factor Authentication Data Breach HaaS Phishing Office Tips Connectivity Word IT Support Data Security IT Support Samsung Remote Monitoring Remote Computing VPN Electronic Medical Records Managed IT Managed Service Provider Bandwidth Entertainment Government Flexibility Windows 7 USB Value BDR Save Money Legal Comparison Networking Public Cloud Mobility Automobile Website CES BYOD Employer-Employee Relationship Data Storage Keyboard Charger OneNote Data Management Content Management Patch Management Redundancy End of Support IT Management History Cleaning Avoiding Downtime Mobile Device Business Intelligence Spam Blocking Marketing Worker Blockchain Scam Update Big Data IT Plan Identity Theft Operating System Battery Infrastructure Computer Care Information PDF Server Paperless Office Unsupported Software HVAC Windows 10s Windows Server 2008 Relocation User Error Education Password Manager Wearable Technology Screen Mirroring Workforce IT Consultant Black Market Wireless Charging Devices Training Managed Service Root Cause Analysis Trending Human Resources Benefits Machine Learning HBO Fraud Access Control Computer Accessories Virtual Assistant FENG Telephony Google Docs Television Wire Conferencing Software Tips Monitor Enterprise Content Management Computing Infrastructure Business Mangement Cast Scalability Accountants Leadership Cortana Thought Leadership Vendor Management MSP Botnet Staff Firewall YouTube Settings Outlook Amazon Authentication Bluetooth Telephone System Skype Emergency Public Computer Sports Emails Wireless Password Management Solid State Drive Flash Humor Internet Exlporer Gmail Troubleshooting Loyalty Telecommuting Save Time Files Google Apps File Sharing Meetings Travel Best Practice Specifications Smart Technology Current Events Frequently Asked Questions Amazon Web Services Nanotechnology Start Menu Hybrid Cloud Voice over Internet Protocol Smart Office Data storage NIST Audit Techology Users Recovery Recycling SaaS Information Technology Remote Work Practices Excel Workers Addiction Experience Content Digital Signature Two Factor Authentication Knowledge Search Online Shopping Smart Tech Risk Management Tools Apple Document Management IT solutions Physical Security Hiring/Firing Cryptocurrency Computer Fan Sync Internet exploMicrosoft Virtual Reality eWaste Instant Messaging Hosted Computing Tip of the week Cache Music Data loss Video Games Audiobook Millennials Encryption Network Congestion Servers How to Evernote Politics Rootkit Downtime iPhone Multi-Factor Security HIPAA Transportation Safety Inventory Employer Employee Relationship Safe Mode The Internet of Things Advertising Worker Commute Criminal Books Assessment Wireless Internet webinar Credit Cards Congratulations Twitter Company Culture Compliance Webinar Augmented Reality Managing Stress Regulation CrashOverride Thank You WiFi

Mobile? Grab this Article!

QR-Code dieser Seite

Recent Comments

JeffereyANoah 5 Useful Cloud Apps for Small Businesses
15 August 2018
Sharing these type stuff is very useful and hope you will provide us more like this one. I come here...
Jared Albert VoIP Delivers Benefits That a Traditional Phone System Can’t
13 August 2018
A traditional telephone system is installed for the happiness of the people. Majority of the concern...
Meredith Maddox Tip of the Week: Tip of the Week: Mirror or Cast Your Android Device’s Screen
08 August 2018
Android mobile phones are top of the list now a days every one wants to buy android phone. It’s a bi...
MarianneJCruz Tip of the Week: Got a Solid State Drive? Here’s How to Take Care of It
31 July 2018
What a review https://www.uk.com/how-do-you-do.html
Digital Hold The Case for Hosting Your Phone Solution In-House
24 February 2018
Informative Blog. Thanks a lot for the useful info.