(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-78946278-1', 'auto'); ga('send', 'pageview');
407-478-6600    Get SUPPORT

TaylorWorks Blog

TaylorWorks has been serving the Longwood area since 1999, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, July 20 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Newsletter Sign Up

  • Company Name *
  • First Name *
  • Last Name *

      Tag Cloud

      Tip of the Week Security Technology Cloud Best Practices Managed IT Services Network Security Privacy Business Computing Data Backup Hackers Malware VoIP Hosted Solutions Email Google Microsoft Outsourced IT Backup Mobile Devices Data Recovery Software Cloud Computing Saving Money Business Continuity Internet of Things Data Tech Term Innovation Cybersecurity IT Support Internet BDR Android Small Business Efficiency Cybercrime Disaster Recovery Communications Ransomware User Tips Business Communication Managed IT IT Services Smartphones Hardware Router Law Enforcement How To Virtualization Business Intelligence Money Managed IT Services Collaboration BYOD Artificial Intelligence Computers Productivity Smartphone Network Mobile Device Management Business Management Windows Two-factor Authentication Data Security Phishing Chrome Data Protection Avoiding Downtime Browser IT Support Bandwidth Document Management Alert Computer Vulnerability Compliance Social Engineering Save Money Office 365 Remote Monitoring Identity Theft Word Blockchain Proactive IT Mobility Telephone Systems Spam Applications Windows 10 Redundancy Apps Productivity Connectivity Gadgets App Employer-Employee Relationship Spam Blocking Data Storage Solid State Drive Password Upgrade Business Owner Holiday Value Paperless Office Private Cloud Social Media Operating System Smart Tech Update Analysis Mobile Device Server Networking Wi-Fi Workers VPN Passwords IT Management Firewall IT Plan CES Microsoft Office Windows 7 Website Unsupported Software Content Management Facebook Flexibility Information Technology Education Access Control Credit Cards Servers Bring Your Own Device Work/Life Balance Data loss Infrastructure OneNote Budget Data Breach Comparison Big Data Entertainment Samsung Smart Office Legal Online Shopping Telephony Users Downtime Automation Password Management Gmail IoT Government Thought Leadership Specifications Frequently Asked Questions Strategy Evernote USB Skype Root Cause Analysis NIST Recovery Recycling Wireless Streaming Media Millennials Windows 10 Excel Students Wireless Charging Public Cloud Start Menu Windows 10s Data Warehousing Meetings Cryptocurrency eWaste Insurance Content Filter Workforce Tip of the week Save Time Risk Management SaaS Healthcare Cortana Fiber-Optic Mobile Wireless Technology Current Events Safe Mode Criminal Practices Google Docs Storage Managed Service Provider Telecommuting Windows Server 2008 Accountants Training Electronic Health Records Cables PDF Hacker Professional Services Marketing Audit Knowledge File Sharing Black Market Hosted Computing Voice over Internet Protocol HaaS Remote Work Emails Hacking HIPAA Machine Learning Technology Tips Unified Communications Content Filtering Google Drive Tools Network Congestion Business Technology Battery Inventory Multi-Factor Security Charger Addiction Regulations Computer Fan YouTube Remote Computing Theft Software Tips IT Consultant Virtual Assistant Electronic Medical Records Trending Cache Hard Drives Computing Infrastructure Data Management FENG Google Apps Botnet Lifestyle Physical Security Leadership Telephone System Human Resources Authentication Unified Threat Management Wireless Internet Fraud Keyboard Flash Netflix Travel Mobile Computing Staff Nanotechnology Cleaning Wire Amazon End of Support Settings Screen Mirroring HVAC Workplace Tips Password Manager Patch Management Health The Internet of Things HBO webinar Virtual Reality Digital Signature Office Tips Computer Care Sports Amazon Web Services Sync Cast Enterprise Content Management Business Mangement Scam Software as a Service Devices Outlook Conferencing Worker Commute Encryption Wearable Technology Advertising How to Transportation Miscellaneous History Best Practice Benefits Techology Search Worker Loyalty Troubleshooting Presentation Shadow IT Smart Technology WiFi User Error Rootkit Hosted Solution Hybrid Cloud 5G IBM Politics Two Factor Authentication Quick Tips Twitter Customer Relationship Management Vendor Management Assessment Video Games IP Address Colocation Customer Service Webinar Automobile Television Office Books Mobile Office Domains IT solutions Public Computer Company Culture Scalability Relocation Public Speaking Internet Exlporer Managing Stress Humor Emergency Lithium-ion battery Employer Employee Relationship Augmented Reality Experience Tech Support Content Safety Computer Accessories Audiobook Hiring/Firing Music Internet exploMicrosoft Competition CrashOverride Instant Messaging Fun Files Bluetooth

      Mobile? Grab this Article!

      QR-Code dieser Seite