window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//cdn.mouseflow.com/projects/0148bb62-7ff8-46ae-a466-bf3fd13c7d09.js"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, November 20 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Network Security Best Practices Cloud Business Computing Managed IT Services Privacy Data Backup Hackers Data Recovery Email Malware VoIP Hosted Solutions Data Outsourced IT Mobile Devices Innovation Google Tech Term Backup Hardware Internet Microsoft User Tips Saving Money Business Cloud Computing BDR Business Continuity Software Internet of Things Ransomware Cybersecurity Communications IT Services Cybercrime Smartphones Android IT Support Communication Small Business Efficiency Managed IT Services Applications Chrome Workplace Tips Network Productivity Disaster Recovery Artificial Intelligence Browser Law Enforcement Managed IT How To Smartphone Computer IT Support Router Gadgets Business Management Windows 10 Phishing Avoiding Downtime Collaboration Windows Data Protection Virtualization Spam Mobile Device Management Save Money Two-factor Authentication Server Computers Money Blockchain BYOD Business Intelligence Information Data Security IT Management Miscellaneous Vulnerability Redundancy Remote Monitoring Upgrade App Social Media Training Compliance Facebook Connectivity Firewall Encryption Identity Theft Word Passwords Alert Apps Servers Proactive IT Analysis Productivity Bandwidth Telephone Systems Social Engineering Mobility Document Management Office 365 Employer-Employee Relationship Mobile Device Settings Work/Life Balance Managed Service OneNote CES Flexibility Sports IT Plan Voice over Internet Protocol Solid State Drive File Sharing Password Information Technology Windows 7 Private Cloud Machine Learning Comparison Data Breach Content Management Virtual Assistant Unsupported Software Scam Wi-Fi Data Storage Spam Blocking Automation Telephone System Paperless Office Access Control Update Value Operating System Smart Tech Credit Cards Budget Business Owner Microsoft Office Education Bring Your Own Device Fraud Holiday Data loss Unified Threat Management VPN Big Data Networking Infrastructure Keyboard Workers Mobile Computing Website Criminal HaaS Wire Google Docs SaaS Practices Safe Mode Amazon Screen Mirroring Cleaning Google Drive Accountants Remote Worker HVAC Windows Server 2008 Telecommuting Current Events Password Manager Storage Help Desk Digital Signature Electronic Health Records HBO Save Time Cables Administrator Professional Services webinar Business Technology Patch Management Wireless Audit Hosted Computing Virtual Private Network Sync Amazon Web Services Risk Management Cast Software as a Service Hard Drives Computer Care Wiring Enterprise Content Management Remote Work Windows 10 Knowledge Business Mangement Emails Proactive Outlook Unified Communications Devices Microchip Tools Computing Infrastructure Conferencing Smart Office Multi-Factor Security Virtual Reality Inventory Project Management Telephony Online Shopping Network Congestion Gmail Addiction Government Black Market Content Filtering Samsung IoT GDPR Password Management Regulations Instant Messaging Charger Public Cloud Strategy Remote Monitoring and Maintenance YouTube Frequently Asked Questions Specifications Hacking Augmented Reality Theft Downtime Thought Leadership Root Cause Analysis HIPAA Software Tips Trending Worker Commute Wireless Technology Cortana Computer Fan Warranty Skype Evernote Electronic Medical Records IT Consultant Recycling Cache Battery E-Commerce NIST Legal Entertainment Meetings Botnet Marketing USB Hacker Managed Service Provider Line of Business Excel Millennials The Internet of Things Google Apps Streaming Media Search Engine Remote Computing End of Support Human Resources Students Physical Security Lifestyle FENG Authentication Printer Start Menu Wireless Charging Leadership eWaste Wireless Internet Data Warehousing WiFi Windows 10s Insurance Camera Cryptocurrency Flash Travel Recovery PDF Netflix MSP Tip of the week Workforce Data Management Health Office Tips Content Filter Bing Users Staff Healthcare Technology Tips Fiber-Optic Nanotechnology Mouse Mobile Employer Employee Relationship Emergency Printers Customer Service Shadow IT Hosted Solution Mobile Office Files Experience Advertising Domains Office Computer Accessories Colocation Twitter Content Two Factor Authentication History Music Search Vendor Management Public Speaking Relocation CrashOverride Bluetooth Presentation Assessment Politics Techology Lithium-ion battery Audiobook Wearable Technology Webinar Humor Utility Computing Video Games Tech Support Internet Exlporer Transportation 5G Television User Error Books Safety IBM How to Hybrid Cloud IT solutions Company Culture Automobile Worker Regulation Benefits Public Computer Competition Hiring/Firing Loyalty Best Practice Customer Relationship Management Troubleshooting IP Address Managing Stress Scalability Fun Rootkit Internet exploMicrosoft Smart Technology Quick Tips

Mobile? Grab this Article!

QR-Code dieser Seite