(707) 268-8850    Get SUPPORT

Network Management Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Network Management Services are here to help. Call us today at (707) 268-8850 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, February 16 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Cloud Best Practices Network Security Business Computing Privacy Managed IT Services Hackers Malware Data Backup Innovation Backup Hosted Solutions Mobile Devices VoIP Email Google Data Recovery Data Outsourced IT Tech Term IT Support Microsoft Cloud Computing IT Services Software Saving Money Internet of Things Internet Business Continuity Efficiency Communications Hardware BDR Cybercrime Communication Small Business Cybersecurity Ransomware Smartphones Business Android Server User Tips Disaster Recovery Artificial Intelligence Windows Avoiding Downtime Save Money Managed IT How To Gadgets Browser Alert Network Computers Managed IT Services Smartphone Applications Two-factor Authentication Chrome Phishing Firewall Computer Social Engineering Law Enforcement Passwords Vulnerability Workplace Tips Productivity Mobility Collaboration Miscellaneous Business Management Money Social Media Business Intelligence Router Mobile Device Management BYOD Data Security Data Protection Windows 10 Redundancy Private Cloud Identity Theft Blockchain Flexibility Remote Monitoring Productivity Telephone Systems Budget Bandwidth Virtualization Operating System Word Proactive IT Office 365 Connectivity IT Support Upgrade Document Management VPN Spam Facebook Managed Service Provider Compliance Training Wi-Fi Workers Information Encryption File Sharing Content Management Paperless Office Google Drive Data loss Access Control Comparison Settings Office Tips OneNote Smart Tech Mobile Device IT Management Quick Tips Managed Service Data Breach Employer-Employee Relationship Apps Windows 7 Public Cloud Content Filtering App Credit Cards IT Plan Data storage Microsoft Office Solid State Drive Analysis Holiday Update Virtual Assistant Big Data Value Password Unsupported Software Infrastructure Website Business Owner Networking Data Storage Information Technology Servers Bring Your Own Device Sports Hacking Work/Life Balance Mobile Computing Unified Threat Management Spam Blocking CES Physical Security Windows 10 Automation Government Data Warehousing Unified Communications Voice over Internet Protocol Thought Leadership Colocation Windows 10s YouTube Relocation Patch Management Hiring/Firing Health Windows Server 2008 Remote Work HaaS Online Shopping Enterprise Content Management HBO Gmail Cache Computer Care Augmented Reality Remote Worker Professional Services Current Events HIPAA Theft Multi-Factor Security Streaming Media Computing Infrastructure Wireless Technology Sync Strategy Humor Scam Software as a Service Authentication Files Safety webinar Business Technology Students IBM Entertainment Screen Mirroring Evernote Password Management USB Outlook Recycling Specifications Wireless Internet Reputation Internet Exlporer The Internet of Things Samsung Wiring CrashOverride Tools Insurance Apple Marketing Hacker Knowledge Google Apps Trending Content Filter Charger Emails Audit Telephony Cast Wireless Charging Nanotechnology Conferencing PDF Black Market Regulations Human Resources Healthcare Hybrid Cloud Network Congestion NIST Frequently Asked Questions eWaste Millennials Wire Customer End of Support Camera Data Management Downtime Fraud Practices Hard Drives iPhone Electronic Medical Records Keyboard Lifestyle Storage Monitor History Computer Fan Skype Accountants Fiber-Optic Telephone System Staff Electronic Health Records IT Consultant Cryptocurrency Hosted Solution Excel Criminal Workforce Internet exploMicrosoft Root Cause Analysis Amazon Botnet Hosted Computing Software Tips Password Manager FENG Start Menu Supercomputer Legal Risk Management Cables Google Docs Devices Cortana Education Flash Digital Signature Machine Learning Office Emergency Leadership Safe Mode Recovery Tip of the week Telecommuting Smart Office Advertising SaaS Meetings Amazon Web Services Travel Inventory HVAC Business Mangement Addiction User Error Cleaning Netflix MSP Save Time Mobile IoT Best Practice Politics Presentation Computer Accessories Lithium-ion battery Shadow IT Audiobook Wearable Technology Two Factor Authentication Vendor Management 5G Virtual Reality Fun Company Culture Tech Support Bluetooth Assessment Automobile Administration Proactive Worker Commute Managing Stress Transportation Competition Books Customer Relationship Management Television Instant Messaging Troubleshooting IP Address Video Games Webinar Remote Monitoring and Maintenance Search Users Benefits WiFi Worker Battery Customer Service Public Computer Mobile Office How to Loyalty Printers Techology Remote Computing Experience Twitter Domains IT solutions Line of Business Smart Technology Rootkit Wireless Regulation Employer Employee Relationship Content Scalability Music Public Speaking