(707) 268-8850    Get SUPPORT

Network Management Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Network Management Services are here to help. Call us today at (707) 268-8850 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, November 15 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Cloud Best Practices Network Security Business Computing Privacy Managed IT Services Hackers Malware Data Backup Backup VoIP Mobile Devices Hosted Solutions Innovation Google Email Data Recovery Outsourced IT Data Tech Term IT Support IT Services Internet of Things Saving Money Cloud Computing Internet Microsoft Software BDR Business Continuity Efficiency Hardware Communications Cybercrime Business Smartphones Communication Ransomware Small Business Cybersecurity User Tips Server Android Disaster Recovery Artificial Intelligence Managed IT Services Save Money Managed IT Network How To Alert Computers Gadgets Browser Smartphone Windows Avoiding Downtime Law Enforcement Miscellaneous Social Engineering Windows 10 Data Security Data Protection Social Media Chrome Firewall Mobile Device Management Workplace Tips Phishing Vulnerability Two-factor Authentication Mobility Computer Passwords Collaboration Money Productivity Router BYOD Business Management Business Intelligence Applications Upgrade Blockchain Compliance Redundancy Remote Monitoring Spam Flexibility Telephone Systems Virtualization Operating System Connectivity Productivity Bandwidth VPN Word Document Management Budget Proactive IT Managed Service Provider IT Support Facebook Identity Theft Office 365 Private Cloud Quick Tips Office Tips Mobile Device Credit Cards Employer-Employee Relationship Public Cloud Virtual Assistant Analysis Data loss Training Workers OneNote Data storage Comparison Windows 10 App Settings IT Management Solid State Drive Holiday Data Breach Wi-Fi Infrastructure Windows 7 Content Filtering Password IT Plan Business Owner Sports Update Information Technology Hacking Apps Work/Life Balance Information Value Unsupported Software CES Automation Data Storage Networking Microsoft Office Physical Security Servers File Sharing Encryption Government Bring Your Own Device Managed Service Access Control Mobile Computing Big Data Content Management Paperless Office Smart Tech Website Google Drive Spam Blocking Unified Threat Management Strategy Meetings Travel Wiring Emergency Theft Streaming Media Tip of the week Telecommuting Password Management HaaS Humor Mobile SaaS Evernote Authentication Computing Infrastructure Leadership Students HIPAA Insurance Files Data Warehousing Voice over Internet Protocol Recycling Wireless Internet Windows 10s Cleaning Netflix Apple Camera Patch Management Google Apps Content Filter Reputation Internet Exlporer Windows Server 2008 Remote Work NIST Entertainment Professional Services USB Wireless Charging Nanotechnology HBO Human Resources Healthcare Fraud Practices Multi-Factor Security Current Events eWaste Wire Hybrid Cloud Sync Telephone System Computer Care Accountants Hard Drives iPhone Screen Mirroring Software as a Service Scam PDF Black Market Storage Customer End of Support Cryptocurrency Electronic Health Records CrashOverride Tools Fiber-Optic Monitor History Outlook Specifications webinar Data Management Staff Samsung Keyboard Amazon Hosted Computing Trending Knowledge Augmented Reality Criminal Audit Telephony Cast Wireless Technology Password Manager Internet exploMicrosoft Regulations Safe Mode Charger Emails Digital Signature Machine Learning Downtime MSP Safety Hosted Solution Cables Devices Frequently Asked Questions Millennials HVAC Conferencing IBM Marketing Hacker Amazon Web Services Inventory Cortana Lifestyle Electronic Medical Records Network Congestion The Internet of Things Smart Office Office Computer Fan Skype Legal Risk Management IoT Education Business Mangement Addiction Advertising YouTube Root Cause Analysis Botnet Remote Worker Recovery Unified Communications Thought Leadership User Error Excel Workforce Enterprise Content Management Start Menu Online Shopping Colocation Software Tips IT Consultant Save Time Relocation FENG Hiring/Firing Health Google Docs Supercomputer Gmail Cache Flash Business Technology Company Culture Shadow IT Rootkit Customer Service Audiobook Proactive Mobile Office Wearable Technology Employer Employee Relationship Fun Domains Virtual Reality Managing Stress Wireless Remote Monitoring and Maintenance Administration Computer Accessories Automobile Two Factor Authentication Public Speaking Worker Commute Printers Presentation Vendor Management Search Line of Business Assessment Lithium-ion battery Instant Messaging Troubleshooting Bluetooth Video Games Regulation Tech Support Transportation 5G Battery Twitter Books Television How to Techology Remote Computing Experience WiFi Benefits Webinar Public Computer Competition Worker Customer Relationship Management Content Loyalty IP Address Scalability Music Users Best Practice Politics Smart Technology IT solutions