Infracore LLC Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Infracore LLC are here to help. Call us today at (858) 509-1970 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, December 13 2018

Captcha Image

Tag Cloud

Tip of the Week Security Technology Best Practices Privacy Cloud Google Network Security Business computing Malware Hosted Solutions Microsoft Hackers Data Software Innovation Internet Hardware Business User Tips Smartphones Tech Term Backup Data Backup Browser Business Continuity Email Windows 10 Computer Android Mobile Devices VoIP Workplace Tips Communications Small Business Business Management IT Services Data Recovery Cloud Computing Smartphone Productivity Outsourced IT Managed IT Services Alert Computers Disaster Recovery Chrome Miscellaneous Ransomware Office Managed IT Services Efficiency Law Enforcement Network Artificial Intelligence Communication Cybercrime Telephone Systems How To Collaboration Cybersecurity Router Internet of Things IT Support Productivity Money Office 365 Passwords Password Applications Facebook Virtualization Windows 10 Social Media Windows Social Engineering Holiday Gadgets Work/Life Balance Google Drive Server Saving Money Quick Tips App Word Upgrade Health Information Spam Managed Service Private Cloud Two-factor Authentication Apps Mobile Device Mobile Device Management HaaS Connectivity Keyboard Office Tips Automation IT Support Phishing Scam Data Breach BDR Microsoft Office Data Security Hacking Wi-Fi Data Protection Vulnerability Voice over Internet Protocol Bring Your Own Device Save Money Firewall Networking Data Storage Government Blockchain Identity Theft Virtual Assistant Update Encryption OneNote Employer-Employee Relationship Infrastructure Marketing Redundancy IT Management Public Cloud Charger Battery Patch Management Telephone System Avoiding Downtime Sports Spam Blocking VPN Software as a Service IT Plan Cleaning Human Resources Fraud End of Support Remote Computing Worker Google Docs Operating System Big Data History Flexibility Unsupported Software Computer Care Comparison Remote Monitoring Website CES Managed IT Legal Servers Telephony Mobility Automobile Electronic Medical Records PDF Samsung Windows 7 Bandwidth Training Content Management Paperless Office Entertainment Settings Business Intelligence Data Management BYOD Managed Service Provider USB Value Machine Learning Bing Solid State Drive Flash Monitor Techology Users Online Shopping Smart Tech Information Technology Vendor Management Emergency Public Computer Hosted Computing Meetings Travel Content Bluetooth eWaste Wire Printer Frequently Asked Questions Loyalty Millennials Enterprise Content Management Start Menu Save Time Cache Unified Threat Management Search Troubleshooting YouTube Help Desk Audit Virtual Reality Smart Technology Current Events Evernote MSP Instant Messaging Multi-Factor Security HIPAA Credit Cards Inventory Humor Internet Exlporer Video Games Audiobook WiFi Criminal Mouse Excel SaaS Workforce Password Management Tools Files Password Manager Mobile Computing IT solutions Physical Security How to Computer Fan Sync Data storage Worker Commute Two Factor Authentication Knowledge Wireless Charging Devices File Sharing Hybrid Cloud Experience Trending Education Access Control Data loss Risk Management Smart Office Administrator Tip of the week Accountants NIST Downtime Hiring/Firing Business Mangement Camera Black Market Shortcuts The Internet of Things Network Congestion Cortana Thought Leadership Augmented Reality webinar Apple Music Staff Windows Server 2008 Computing Infrastructure Transportation Safety Amazon Authentication Screen Mirroring Internet exploMicrosoft Scalability Politics Rootkit Document Management Microchip Windows 10s Books Assessment Telecommuting Cryptocurrency Root Cause Analysis Employer Employee Relationship Gmail HBO FENG IT Consultant Google Apps Remote Worker Conferencing Software Tips iPhone Wireless Wearable Technology Specifications Search Engine Benefits Amazon Web Services Nanotechnology Cast Advertising Television Remote Work Practices Safe Mode Botnet Relocation User Error Best Practice Computer Accessories Recovery Recycling Wireless Internet Warranty Outlook Digital Signature HVAC Skype Leadership Workers Addiction Wiring Emails Webinar CrashOverride Company Culture Compliance Managing Stress Regulation Printers Thank You Twitter Congratulations

Mobile? Grab this Article!

QR-Code dieser Seite

Recent Comments

Phillip Bond A Checklist of 40 Microsoft Software Titles Reaching End of Life/Extended Support in July 2016
11 December 2018
A checklist of the components is done for the widening of the elements. The scope of the check list ...
Erickson Ferry Tip of the Week: Useful Shortcuts for Google
30 November 2018
Your blog was too good. I was exceptionally satisfied to discover this site. I needed to thank you f...
Alex Ling Would Your Users be Tricked by Social Engineering?
27 November 2018
I came to know about the user that was tricked by the users in this community this was all on social...
Daniel Mcmahon Ancient Greek Computer in Serious Need of Firmware Update
23 November 2018
Computers which are imported from the Greek now want to update the all software that is firmware tra...
Cameran Moon Download the Wrong App and Have More Than Pokémon Fever Infect Your Device
22 November 2018
Infra core was the heart of IT they told us that if we download a wrong application it will infect o...