Infracore LLC Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Infracore LLC are here to help. Call us today at (858) 509-1970 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Saturday, October 20 2018

Captcha Image

Tag Cloud

Tip of the Week Security Technology Privacy Best Practices Cloud Business computing Network Security Hackers Google Malware Microsoft Software Innovation Internet Data Tech Term Hardware Backup Smartphones Email Browser Windows 10 Hosted Solutions Business Continuity Business Computer Mobile Devices Android VoIP User Tips Alert Workplace Tips IT Services Data Backup Small Business Managed IT Services Miscellaneous Smartphone Business Management Communications Office Cloud Computing Productivity Ransomware Computers Outsourced IT Disaster Recovery Cybercrime Efficiency Artificial Intelligence Law Enforcement Data Recovery Communication Password Applications Managed IT Services Facebook Virtualization Windows Collaboration Cybersecurity Chrome Productivity Money Windows 10 Passwords Network How To Social Media Router Internet of Things Telephone Systems Saving Money Quick Tips Upgrade Work/Life Balance Health Server App Gadgets Social Engineering Office 365 Holiday Keyboard Data Protection Vulnerability Spam Apps HaaS Two-factor Authentication Scam Data Breach Office Tips Mobile Device Management IT Support Connectivity Information Private Cloud Microsoft Office Phishing Hacking Bring Your Own Device Save Money Google Drive IT Support Data Security Word Wi-Fi Automation Telephone System Website CES Sports Remote Monitoring Employer-Employee Relationship End of Support Managed IT Data Management Charger History Windows 7 Content Management Patch Management Settings Mobile Device BYOD Cleaning Marketing Business Intelligence Worker Blockchain PDF Data Storage Update Big Data Identity Theft Battery Infrastructure Computer Care OneNote Encryption IT Management Redundancy Paperless Office Managed Service Provider Spam Blocking Remote Computing Government Avoiding Downtime Samsung VPN Electronic Medical Records IT Plan Flexibility Training Managed Service Bandwidth Fraud Entertainment Virtual Assistant Operating System Public Cloud Legal USB Value BDR Unsupported Software Mobility Automobile Comparison Firewall Networking Amazon Authentication Bluetooth Data storage Windows 10s Windows Server 2008 Emergency Public Computer Mouse Hybrid Cloud Screen Mirroring Save Time Password Management HBO Best Practice Gmail Troubleshooting Loyalty Mobile Computing Root Cause Analysis Telecommuting Conferencing Software Tips Google Apps File Sharing FENG Telephony Specifications Smart Technology Current Events Techology Amazon Web Services Users Nanotechnology Information Technology Voice over Internet Protocol Smart Office Apple Cast NIST Outlook Recovery Recycling Content SaaS Camera Internet exploMicrosoft Botnet Remote Work Practices Emails Workers Addiction Experience Augmented Reality Skype Search Digital Signature Two Factor Authentication Knowledge Online Shopping Virtual Reality Smart Tech Risk Management Solid State Drive Flash Instant Messaging Document Management iPhone Hiring/Firing Cryptocurrency Frequently Asked Questions Video Games eWaste Audiobook Advertising Meetings Travel Hosted Computing Servers Cache Music Remote Worker Relocation User Error Start Menu Millennials How to Network Congestion Evernote Worker Commute Politics Rootkit Audit Multi-Factor Security HIPAA Transportation Safety Inventory Employer Employee Relationship Safe Mode Monitor Excel Criminal Books Assessment Wireless Internet Warranty Credit Cards Education IT Consultant HVAC IT solutions Physical Security Password Manager Wearable Technology Wiring Tools Workforce Black Market Wireless Charging Devices Computer Fan Sync Trending Human Resources Benefits Machine Learning Computing Infrastructure Access Control Computer Accessories Tip of the week Google Docs Scalability Television Wire Printer Data loss Leadership Enterprise Content Management Business Mangement Unified Threat Management Humor Internet Exlporer Downtime Accountants webinar Cortana Thought Leadership Vendor Management MSP Files The Internet of Things Wireless Staff YouTube Twitter Company Culture Compliance Administrator Managing Stress Thank You Regulation Printers Congratulations Webinar WiFi CrashOverride

Mobile? Grab this Article!

QR-Code dieser Seite

Recent Comments

Sybil Stephens Is a Data Backup Really That Necessary? In a Word: Yes
20 October 2018
Backup data for the word Microsoft is really needed that only some written material will be come to ...
JeffreyKGuertin Tech Term: Modems and Routers Defined
18 October 2018
Thank you so much for defining here the modems and routers to give us better information about this....
Shay Stuart How the Convenience of The Internet of Things Can Come Back to Bite Us
17 October 2018
This is a very important share that delivers facts about the utilization of internet tools in differ...
Isla Tait It Pays to Outsource Your IT
15 October 2018
New IT project that show us a new outcome that has been to prepare this setup that was god to know o...
ClarenceEHaynes 11 Ways to Enhance Android Security
15 October 2018
I really impressed from your working, after reading this 11 ways to enhance android security and dis...