window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, February 20 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Network Security Best Practices Cloud Business Computing Data Backup Privacy Hosted Solutions Managed IT Services Hackers Malware Data Recovery VoIP Mobile Devices Google Email Data User Tips Outsourced IT Internet of Things Tech Term Innovation Backup Productivity Internet Microsoft Communications Cloud Computing Hardware Business Continuity IT Services Saving Money Business BDR Cybersecurity Software Efficiency Artificial Intelligence Smartphones Communication Ransomware Small Business Cybercrime IT Support Smartphone Android IT Support Managed IT Services Router Disaster Recovery Applications Network Workplace Tips Business Management Windows 10 Gadgets Browser Chrome How To Mobile Device Collaboration Law Enforcement Managed IT Computer Phishing Mobility Avoiding Downtime Data Protection Windows Spam Virtualization Blockchain Access Control Mobile Device Management Two-factor Authentication Word Server Save Money Proactive IT Money Computers Business Intelligence BYOD Data Security Information Training Holiday Encryption Office 365 Miscellaneous Upgrade Remote Monitoring Managed Service Voice over Internet Protocol App Document Management Social Media Software as a Service Facebook Compliance Automation Identity Theft Private Cloud Analysis Firewall Wi-Fi Bandwidth Servers Passwords Alert Apps Productivity Connectivity Vulnerability Settings Social Engineering File Sharing Redundancy Telephone Systems IT Management Machine Learning Employer-Employee Relationship Content Management Google Drive Keyboard IT Plan Data Breach Windows 7 Business Technology Work/Life Balance Solid State Drive Paperless Office Spam Blocking Comparison Flexibility Telephony Information Technology Unsupported Software Smart Tech Password Save Time Virtual Assistant Data Storage Human Resources Value Operating System Credit Cards Infrastructure Telephone System Update VPN Scam Botnet Healthcare Networking Unified Threat Management Fraud Workers Hacker Budget Data loss Microsoft Office CES Sports Mobile Computing Google Docs Health OneNote Business Owner Big Data Education Bring Your Own Device Website Knowledge Data Management Professional Services Smart Office Remote Worker Restore Data Computer Care Recovery HBO Inventory HaaS Help Desk Sync Amazon Web Services Gmail Addiction Google Search Emails IoT Password Management Administrator Remote Work Theft Thought Leadership Security Cameras Conferencing Cast Strategy YouTube Virtual Private Network Shortcuts Network Congestion Tools Wiring Backup and Disaster Recovery Samsung Wireless Outlook Windows 10 Online Shopping Hard Drives Recycling Cache Proactive Charger Multi-Factor Security NIST Microchip Downtime Regulations Google Apps Streaming Media Employee/Employer Relationship Risk Management Government Project Management Computer Fan Patch Management Authentication eCommerce Electronic Medical Records IT Consultant Root Cause Analysis Students GDPR Frequently Asked Questions Specifications Computing Infrastructure Skype Evernote eWaste Wireless Internet Remote Monitoring and Maintenance Software Tips Trending Insurance Cryptocurrency Public Cloud Content Filter Smartwatch Warranty FENG Virtual Reality Augmented Reality Fiber-Optic Nanotechnology Social Leadership Meetings Cortana Staff E-Commerce Windows 10s Black Market Content Filtering Wireless Technology Excel Millennials Hacking Start Menu Wireless Charging Criminal Wire Line of Business File Versioning Netflix Instant Messaging Physical Security Lifestyle Practices Safe Mode Search Engine Flash Managed Service Provider Password Manager Storage Employee HIPAA Marketing Data Warehousing WiFi Accountants HVAC Printer Worker Commute The Internet of Things Workforce Cables End of Support Vendor Legal Entertainment Travel Digital Signature Electronic Health Records Camera SaaS Battery Tip of the week Current Events Mobile MSP Multiple Versions Cleaning USB Hosted Computing Bing Amazon Business Mangement PDF Digital Signage Remote Computing Office Tips Enterprise Content Management Mouse Windows Server 2008 Telecommuting Unified Communications Devices Display webinar Users Screen Mirroring Technology Tips Audit Two Factor Authentication Customer Service Troubleshooting Vendor Management Scalability Mobile Office Files CrashOverride Smart Technology Advertising Bluetooth Office Assessment Emergency Domains Shadow IT Hosted Solution Colocation Net Neutrality Webinar Experience History Search Relocation Company Culture Television Public Speaking Content Presentation ISP IT solutions Music Lithium-ion battery Techology Utility Computing Worker Politics Humor Managing Stress Public Computer Internet Exlporer Audiobook Tech Support Loyalty 5G IBM Wearable Technology Safety User Error Hybrid Cloud Regulation Rootkit Video Games Transportation Employer Employee Relationship Books Automobile Customer Relationship Management Hiring/Firing How to Competition Twitter IP Address Benefits Fun Internet exploMicrosoft Computer Accessories Best Practice Quick Tips Printers

Mobile? Grab this Article!

QR-Code dieser Seite