window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//cdn.mouseflow.com/projects/0148bb62-7ff8-46ae-a466-bf3fd13c7d09.js"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, September 19 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Cloud Network Security Best Practices Managed IT Services Privacy Business Computing Hackers Data Backup Email VoIP Malware Hosted Solutions Data Recovery Mobile Devices Outsourced IT Microsoft Data Innovation Google Backup Tech Term Internet of Things Cloud Computing Software Saving Money Business Continuity Internet Efficiency Small Business IT Services BDR Android Cybersecurity Ransomware IT Support Hardware Disaster Recovery Communication Artificial Intelligence Communications Applications Cybercrime User Tips Smartphones Router How To Gadgets Law Enforcement Managed IT Managed IT Services Business Network Windows 10 Phishing Data Protection Two-factor Authentication BYOD Chrome Collaboration Windows Browser Avoiding Downtime Productivity Business Intelligence Save Money IT Support Virtualization Computers Smartphone Business Management Data Security Mobile Device Management Money Alert Telephone Systems Vulnerability Computer Mobility Training Passwords Blockchain Document Management Apps Social Engineering Analysis Productivity Identity Theft Compliance Word Remote Monitoring App Firewall Office 365 Facebook Workplace Tips Proactive IT Bandwidth Connectivity Social Media Spam IT Management Redundancy Workers Encryption Machine Learning Information Content Management Wi-Fi Business Owner Holiday IT Plan Settings Education Bring Your Own Device Managed Service Windows 7 OneNote Paperless Office Comparison Access Control Mobile Device Unsupported Software Smart Tech Work/Life Balance Data Storage Data Breach Microsoft Office Virtual Assistant Budget Employer-Employee Relationship Spam Blocking Update VPN Big Data Servers Credit Cards Automation Infrastructure Website Miscellaneous Solid State Drive Value Operating System Flexibility Information Technology Upgrade Password Private Cloud Data loss CES Sports Server Mobile Computing File Sharing Unified Threat Management Networking Public Cloud Screen Mirroring USB Windows Server 2008 Telecommuting Unified Communications Devices Professional Services Smart Office Cortana Remote Computing HBO SaaS Inventory Voice over Internet Protocol Cleaning IoT Password Management Remote Worker Sync Amazon Web Services Current Events Gmail Addiction Managed Service Provider Data Management Cast Software as a Service Strategy YouTube Augmented Reality Recovery Remote Work Theft Thought Leadership Tools webinar Wireless Technology Business Technology Keyboard Outlook Audit End of Support Recycling Cache Multi-Factor Security Computer Care NIST Wiring Telephony Online Shopping Knowledge PDF Government Emails The Internet of Things Proactive Health Office Tips Regulations Google Apps Streaming Media Marketing Hacker Root Cause Analysis Conferencing Human Resources Students Technology Tips Frequently Asked Questions Specifications Authentication Save Time eWaste Wireless Internet Risk Management Software Tips Trending Samsung Insurance Cryptocurrency GDPR HaaS Patch Management Skype Evernote Network Congestion Google Drive Charger Remote Monitoring and Maintenance Downtime Content Filter Meetings Botnet Staff Healthcare Telephone System Excel Millennials Computer Fan Fiber-Optic Nanotechnology Users IT Consultant Criminal Wire Physical Security Lifestyle Practices Safe Mode E-Commerce Virtual Reality Scam Start Menu Wireless Charging Electronic Medical Records Hard Drives Data Warehousing Accountants HVAC Line of Business Black Market Content Filtering Flash Fraud Password Manager Storage Hacking Travel Digital Signature Electronic Health Records Instant Messaging Tip of the week Workforce FENG Cables Leadership Wireless HIPAA Windows 10s Hosted Computing Computing Infrastructure Worker Commute Mobile Legal Entertainment Google Docs Netflix Enterprise Content Management Windows 10 MSP Battery Amazon Business Mangement Automobile Rootkit Public Speaking Humor How to Employer Employee Relationship Presentation Printers Internet Exlporer Benefits Lithium-ion battery Best Practice User Error Hybrid Cloud Troubleshooting Computer Accessories 5G Scalability Tech Support Smart Technology Safety Hiring/Firing IBM Emergency Two Factor Authentication Vendor Management Company Culture Shadow IT Hosted Solution CrashOverride Bluetooth Quick Tips Experience Assessment Fun Internet exploMicrosoft Competition Customer Relationship Management IP Address Content Webinar Managing Stress Files Office Music Television Advertising Politics Customer Service Colocation Mobile Office Audiobook WiFi IT solutions History Worker Domains Regulation Relocation Wearable Technology Public Computer Search Video Games Loyalty Camera Transportation Techology Books Twitter

Mobile? Grab this Article!

QR-Code dieser Seite