(707) 268-8850    Get SUPPORT

Network Management Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Network Management Services are here to help. Call us today at (707) 268-8850 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, September 19 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Cloud Best Practices Network Security Business Computing Privacy Managed IT Services Hackers Malware Data Backup Innovation Backup VoIP Hosted Solutions Mobile Devices Google Email Tech Term Data Recovery Outsourced IT IT Support Data Internet of Things Saving Money Cloud Computing Internet Microsoft Software BDR IT Services Hardware Business Continuity Efficiency Communications Business Cybercrime Small Business Cybersecurity Ransomware Android User Tips Artificial Intelligence Smartphones Communication Server Disaster Recovery Alert Managed IT Services Smartphone Windows Avoiding Downtime Save Money How To Managed IT Network Computers Gadgets Browser Business Management Data Security Data Protection Windows 10 Collaboration Miscellaneous Social Media Vulnerability Router Law Enforcement BYOD Social Engineering Chrome Phishing Firewall Mobile Device Management Applications Two-factor Authentication Passwords Productivity Business Intelligence Mobility Money Office 365 Redundancy Managed Service Provider Document Management Upgrade Compliance Private Cloud Spam Facebook Identity Theft Remote Monitoring Blockchain Word Computer Productivity Virtualization Operating System Bandwidth Flexibility Workplace Tips Telephone Systems Proactive IT Budget Connectivity IT Support VPN Business Owner Big Data File Sharing Automation Website Unified Threat Management Physical Security Information Technology Government Managed Service Data loss Work/Life Balance CES Comparison OneNote IT Management Encryption Google Drive Content Management Paperless Office Training Workers Windows 7 Access Control Quick Tips Windows 10 Smart Tech Virtual Assistant Employer-Employee Relationship IT Plan Settings Public Cloud Data Breach Wi-Fi Update Office Tips Data storage Credit Cards Content Filtering Unsupported Software Mobile Device Analysis Data Storage Servers App Apps Infrastructure Mobile Computing Value Solid State Drive Networking Microsoft Office Holiday Hacking Spam Blocking Information Password Sports Bring Your Own Device Password Manager IT Consultant Cortana Keyboard Office Mobile Cables Devices Supercomputer Remote Worker Data Warehousing Voice over Internet Protocol Digital Signature Machine Learning Advertising Enterprise Content Management Windows 10s Smart Office User Error Windows Server 2008 Remote Work Hosted Solution Amazon Web Services Inventory Emergency Professional Services Business Mangement Addiction Leadership Colocation HBO IoT SaaS Relocation Business Technology Unified Communications Thought Leadership Hiring/Firing Health Wiring Multi-Factor Security Legal Risk Management YouTube Cleaning Netflix Password Management Sync Education Screen Mirroring Software as a Service Recovery Online Shopping Patch Management CrashOverride Tools Save Time Gmail Cache Computing Infrastructure Outlook Specifications Humor Theft Streaming Media Current Events Files Trending Strategy Computer Care NIST Audit Telephony Apple Cast HaaS Students Reputation Internet Exlporer Regulations Evernote Authentication Scam Downtime Recycling Wireless Internet webinar Frequently Asked Questions Millennials Insurance Telephone System Google Apps Content Filter Knowledge Augmented Reality Lifestyle HIPAA Samsung Hybrid Cloud Cryptocurrency Computer Fan Skype Hard Drives iPhone Wireless Technology Entertainment Human Resources Healthcare Charger Emails Customer End of Support Wireless Charging Nanotechnology Safety Root Cause Analysis Botnet eWaste Wire Conferencing Monitor History IBM Excel Workforce USB Fraud Practices Storage Electronic Medical Records Network Congestion The Internet of Things Software Tips Accountants Marketing Safe Mode Hacker FENG Start Menu MSP Google Docs Staff Electronic Health Records Internet exploMicrosoft HVAC Flash PDF Black Market Fiber-Optic Meetings Travel Data Management Criminal Tip of the week Telecommuting Amazon Hosted Computing Twitter Video Games Loyalty IP Address Smart Technology IT solutions Users Battery Techology Rootkit Customer Service How to Employer Employee Relationship Remote Computing Experience Mobile Office Domains Proactive Wireless Content Computer Accessories Scalability Music Fun Two Factor Authentication Public Speaking Camera Best Practice Politics Company Culture Presentation Remote Monitoring and Maintenance Audiobook Vendor Management Shadow IT Bluetooth Administration Wearable Technology Assessment Lithium-ion battery Printers Managing Stress Virtual Reality Transportation Line of Business 5G WiFi Tech Support Regulation Automobile Books Television Search Worker Commute Benefits Webinar Competition Worker Customer Relationship Management Instant Messaging Troubleshooting Public Computer