window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//cdn.mouseflow.com/projects/0148bb62-7ff8-46ae-a466-bf3fd13c7d09.js"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, February 20 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Network Security Best Practices Cloud Business Computing Data Backup Privacy Hosted Solutions Managed IT Services Hackers Data Recovery Malware Mobile Devices VoIP Email Data Google User Tips Outsourced IT Innovation Internet of Things Tech Term Backup Cloud Computing Internet Microsoft Communications Productivity Business Continuity Hardware IT Services Saving Money Business Efficiency Artificial Intelligence BDR Software Cybersecurity Smartphones Communication Small Business Ransomware Smartphone IT Support Router Cybercrime Disaster Recovery Android IT Support Managed IT Services Business Management Windows 10 Network Chrome Applications Workplace Tips Gadgets Browser Phishing Mobile Device Collaboration How To Law Enforcement Computer Managed IT Office 365 Server Holiday Money Access Control Mobility Blockchain Data Security Spam Training Mobile Device Management BYOD Windows Data Protection Two-factor Authentication Information Save Money Computers Avoiding Downtime Word Proactive IT Business Intelligence Encryption Virtualization Telephone Systems Miscellaneous Private Cloud Upgrade Vulnerability Social Media Document Management Settings IT Management Analysis Redundancy Alert Wi-Fi Compliance Voice over Internet Protocol Social Engineering Firewall Passwords Software as a Service Automation Apps Managed Service Productivity Identity Theft Connectivity App File Sharing Remote Monitoring Bandwidth Facebook Machine Learning Servers Virtual Assistant Password Website Information Technology Botnet Content Management Networking Business Owner Unified Threat Management Education Bring Your Own Device Fraud Workers Paperless Office Telephone System Data loss Keyboard Mobile Computing Smart Tech Google Docs OneNote Human Resources Work/Life Balance Save Time IT Plan Data Breach VPN Infrastructure Healthcare Windows 7 Comparison Spam Blocking Health Unsupported Software Scam Telephony Employer-Employee Relationship Hacker Data Storage Microsoft Office Google Drive Budget Value CES Operating System Sports Business Technology Update Flexibility Big Data Credit Cards Solid State Drive Employee/Employer Relationship USB Excel Millennials Leadership Inventory Project Management Hard Drives Users Meetings Windows 10s Smart Office Remote Computing Physical Security Lifestyle IoT Password Management GDPR Start Menu Wireless Charging Gmail Netflix Addiction eCommerce Data Warehousing WiFi Strategy YouTube Remote Monitoring and Maintenance Computing Infrastructure Flash Theft Thought Leadership Smartwatch Recovery Tip of the week Workforce Warranty Data Management Travel SaaS Wireless Current Events NIST E-Commerce Public Cloud Mobile Cleaning Recycling Cache Social Line of Business File Versioning Windows 10 Amazon Google Apps Streaming Media Search Engine Cortana Audit Students Employee Windows Server 2008 Telecommuting webinar Authentication Printer Screen Mirroring HBO Knowledge Insurance Cryptocurrency Camera Managed Service Provider Professional Services Computer Care eWaste Wireless Internet Vendor MSP Multiple Versions End of Support Patch Management Sync Amazon Web Services Emails Content Filter Bing Risk Management Staff Digital Signage Augmented Reality Remote Work Fiber-Optic Conferencing Nanotechnology Mouse Cast Office Tips Wireless Technology Outlook Network Congestion Practices Safe Mode PDF Tools Samsung Criminal Wire Display Multi-Factor Security Accountants Downtime HVAC Remote Worker Restore Data Virtual Reality Online Shopping Charger Password Manager Storage Help Desk Technology Tips Digital Signature Computer Fan Electronic Health Records Google Search HaaS Black Market Content Filtering The Internet of Things Regulations Cables Administrator Marketing Government Security Cameras Instant Messaging Frequently Asked Questions Specifications Electronic Medical Records IT Consultant Hosted Computing Virtual Private Network Hacking Root Cause Analysis Software Tips Trending Enterprise Content Management Wiring Backup and Disaster Recovery Worker Commute Skype Evernote Business Mangement Shortcuts HIPAA FENG Proactive Battery Unified Communications Devices Microchip Legal Entertainment History How to Automobile Loyalty Search Benefits Customer Service Relocation ISP Rootkit Utility Computing Best Practice Mobile Office Techology Troubleshooting Domains Employer Employee Relationship Scalability Smart Technology Humor Company Culture Internet Exlporer Emergency Regulation User Error Shadow IT Hosted Solution Public Speaking Computer Accessories Experience Presentation Two Factor Authentication Hybrid Cloud CrashOverride Managing Stress Vendor Management Lithium-ion battery Assessment Bluetooth Hiring/Firing Content Music 5G Printers Tech Support Safety Fun Internet exploMicrosoft IBM Webinar Quick Tips Politics Television Audiobook Files Wearable Technology Competition Advertising Transportation Customer Relationship Management IT solutions Twitter Office Video Games Public Computer Net Neutrality Colocation Books Worker IP Address

Mobile? Grab this Article!

QR-Code dieser Seite