253.777.0763    Get SUPPORT

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Graemouse Technologies are here to help. Call us today at 253.777.0763 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, September 26 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Internet exploMicrosoft Workplace Tips Business Computing Artificial Intelligence Social Engineering Phishing HBO Millennials Patch Management Hosted Solutions Public Cloud Business Continuity Managed Service Money Online Spam Technology Tip of the Week Miscellaneous Windows 7 User Tips Employer-Employee Relationship User Error File Sharing Nanotechnology Business Malware Recycling Physical Security Blockchain Conferencing Practices Private Cloud Training Business Management Virtualization Virtual Assistant Mobile Device Computers Managed IT Services Microsoft Office Two-factor Authentication Paperless Office Google Drive Upgrade Google App Browser Save Money Microsoft Unsupported Software Network Congestion Cortana Sync Accountants The Internet of Things Network Security Law Enforcement Automation Android Spam Blocking Cloud Cleaning IT Plan Amazon Web Services Operating System Outsourced IT OneNote Telephone System Remote Monitoring Trending Networking IT Consultant Data Backup Communication Telephone Systems Botnet VPN Access Control Flexibility Avoiding Downtime Business Mangement Saving Money Augmented Reality Data loss Smartphone Productivity Collaboration Recovery Content Management CES Telephony Wire Windows 10 Cloud Computing IT Support Chrome IT Management Password Camera Google Apps Infrastructure Facebook Sports Managed IT Services Settings BYOD Machine Learning Thought Leadership Authentication Privacy Supercomputer Security Safety Mobile Device Management Cybercrime Data Breach Windows Audit Company Culture Software Data Security Hardware Workforce Telecommuting IBM Alert IT Services MSP Solid State Drive Router Twitter Network YouTube Cybersecurity Wireless Charging Advertising Bring Your Own Device Scam Email Redundancy Business Intelligence Best Practices Samsung Managed IT Multi-Factor Security Identity Theft Password Management How To Bandwidth Data Protection Workers Comparison Data Storage Enterprise Content Management Social Media Apps Wi-Fi Emails Word Efficiency Update Innovation Government Windows 10 Productivity VoIP Mobile Devices Work/Life Balance Tip of the week Internet Data Backup Internet of Things Computer Care Tech Term Amazon Staff Gmail Windows Server 2008 Remote Work Ransomware Information Small Business Communications Data Recovery BDR Applications Vulnerability Computer Connectivity Server Mobile Computing Smartphones Website Gadgets Office 365 Encryption Passwords Hackers

Newsletter Sign Up