(707) 268-8850    Get SUPPORT

Network Management Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Network Management Services are here to help. Call us today at (707) 268-8850 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, July 15 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Cloud Best Practices Network Security Business Computing Privacy Managed IT Services Malware Hackers Backup Google VoIP Data Backup Hosted Solutions Mobile Devices Email Outsourced IT IT Support Software Innovation Microsoft Data Recovery Business Continuity Internet of Things Saving Money Tech Term Cloud Computing Internet Data Efficiency Communications Business BDR Ransomware Cybercrime Small Business Cybersecurity IT Services Android Disaster Recovery Hardware Browser Alert User Tips Artificial Intelligence Server Smartphones Computers Avoiding Downtime Smartphone How To Windows Communication Managed IT Social Engineering Law Enforcement Mobility Vulnerability Collaboration Business Management Managed IT Services Router Network BYOD Chrome Money Mobile Device Management Phishing Business Intelligence Two-factor Authentication Save Money Data Security Data Protection Telephone Systems Gadgets Budget Proactive IT Remote Monitoring Virtualization Operating System Office 365 Connectivity Word Document Management Upgrade Social Media Compliance Spam Firewall VPN Computer Windows 10 Identity Theft Managed Service Provider Flexibility Redundancy Passwords Productivity Bandwidth Private Cloud OneNote Apps Credit Cards Solid State Drive Comparison Value Holiday Quick Tips Analysis IT Management Productivity Windows 7 Networking Public Cloud Password Employer-Employee Relationship Bring Your Own Device IT Support Business Owner Infrastructure Data storage Information Technology IT Plan Big Data Work/Life Balance Update Website Miscellaneous Unsupported Software Servers Data Storage CES Hacking Workers Facebook Windows 10 Spam Blocking Content Management Data Breach Paperless Office Physical Security Wi-Fi Office Tips Automation Content Filtering Mobile Device Smart Tech Government Blockchain Google Drive Data loss App IBM Recycling Wireless Internet HVAC Professional Services Safety Insurance Conferencing HBO Google Apps Content Filter Computing Infrastructure Sync Marketing Hacker Electronic Medical Records Network Congestion PDF Black Market Humor Multi-Factor Security The Internet of Things Files Human Resources Healthcare Screen Mirroring Software as a Service Microsoft Office Wireless Charging Nanotechnology Data Management Specifications eWaste Wire Keyboard Reputation Internet Exlporer Enterprise Content Management CrashOverride Tools Fraud Practices Apple Outlook Storage Audit Telephony Accountants IT Consultant Trending Regulations Staff Supercomputer Electronic Health Records Hosted Solution Hybrid Cloud Cast Fiber-Optic Unified Threat Management Frequently Asked Questions Millennials Emergency Criminal Sports Customer End of Support Password Management Downtime Amazon Hosted Computing Hard Drives iPhone Password Manager SaaS Legal Risk Management Monitor History Computer Fan Skype Leadership Education Lifestyle Digital Signature Machine Learning Recovery Virtual Assistant Cables Cleaning Devices Netflix Excel Workforce Patch Management Smart Office Internet exploMicrosoft NIST Root Cause Analysis Botnet Amazon Web Services Training Inventory Save Time Business Mangement Addiction FENG Start Menu IoT Applications Software Tips Mobile Computing HaaS Cortana Flash Encryption Current Events YouTube Office Google Docs Unified Communications Computer Care Thought Leadership Settings Tip of the week Telecommuting Scam Advertising Cryptocurrency Meetings Travel Online Shopping Access Control Gmail Cache HIPAA User Error Mobile webinar Entertainment Colocation Windows 10s Strategy Knowledge Relocation Data Warehousing Voice over Internet Protocol Theft Samsung Streaming Media Windows Server 2008 Remote Work Students Workplace Tips USB Safe Mode Wireless Technology Evernote Charger Authentication Emails Hiring/Firing Health Books Television Worker Commute Managing Stress Fun Benefits Instant Messaging Troubleshooting File Sharing Webinar Customer Relationship Management Public Computer Video Games Competition Worker Loyalty Administration IP Address Battery Users Smart Technology How to Business Technology IT solutions Techology Customer Service Remote Computing Experience Rootkit Twitter Mobile Office Employer Employee Relationship Search Content WiFi Domains Scalability Music Wireless Best Practice Politics Computer Accessories Audiobook Two Factor Authentication Shadow IT Telephone System Public Speaking Wearable Technology Presentation Vendor Management Assessment Lithium-ion battery Bluetooth Virtual Reality Company Culture Augmented Reality Tech Support Transportation 5G Automobile