window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, August 21 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Newsletter Sign Up

  • Company Name *
  • First Name *
  • Last Name *

      Tag Cloud

      Tip of the Week Security Technology Cloud Best Practices Managed IT Services Network Security Privacy Business Computing Data Backup Email Hackers VoIP Malware Data Recovery Hosted Solutions Outsourced IT Backup Tech Term Mobile Devices Microsoft Google Data Software Cloud Computing Saving Money Business Continuity Internet of Things Innovation IT Support BDR Hardware Cybersecurity Internet Efficiency Small Business Android User Tips Ransomware Smartphones Disaster Recovery Communications IT Services Cybercrime Network Business Router Artificial Intelligence Managed IT Services Communication Applications Law Enforcement Gadgets Managed IT How To Money Data Protection Productivity Mobile Device Management IT Support BYOD Two-factor Authentication Business Management Business Intelligence Collaboration Avoiding Downtime Windows Phishing Chrome Virtualization Browser Data Security Smartphone Computers Social Media Connectivity Alert Spam Telephone Systems Identity Theft Bandwidth Proactive IT Word Mobility Computer Social Engineering Passwords Document Management Blockchain Apps Windows 10 Analysis Remote Monitoring Vulnerability Compliance Productivity App Facebook Save Money Redundancy Office 365 IT Management Data Breach Server Miscellaneous Upgrade Spam Blocking IT Plan Windows 7 File Sharing Automation CES Comparison Encryption Machine Learning Value Operating System Business Owner Unsupported Software Education Bring Your Own Device Wi-Fi Data Storage Holiday Content Management Servers Credit Cards Access Control Networking Update Mobile Device Paperless Office Smart Tech Employer-Employee Relationship Work/Life Balance Workers Budget Microsoft Office Firewall OneNote Solid State Drive Data loss Training Flexibility VPN Information Technology Infrastructure Big Data Password Information Private Cloud Website Windows Server 2008 Telecommuting Black Market Content Filtering Practices Safe Mode Screen Mirroring Criminal Wire Emails Computing Infrastructure Accountants HVAC Professional Services Hacking Password Manager Storage Conferencing Managed Service HBO Instant Messaging Electronic Health Records Samsung Public Cloud Sync Amazon Web Services Worker Commute Cables Network Congestion Business Technology Voice over Internet Protocol HIPAA Digital Signature Remote Work Battery Hosted Computing Cortana Wireless Downtime Cast Software as a Service Legal Entertainment Sports Charger USB Enterprise Content Management Computer Fan Tools Business Mangement Windows 10 Proactive Outlook Managed Service Provider Telephony Online Shopping Unified Communications Devices Electronic Medical Records IT Consultant Virtual Assistant Multi-Factor Security Remote Computing Regulations Inventory Government Smart Office End of Support Specifications Recovery IoT Password Management FENG Root Cause Analysis Data Management Gmail Addiction Remote Monitoring and Maintenance Frequently Asked Questions Strategy YouTube Windows 10s PDF Skype Evernote Theft Thought Leadership Leadership Health Augmented Reality Office Tips Telephone System Software Tips Trending Keyboard Wireless Technology Technology Tips Unified Threat Management Netflix Excel Millennials NIST Meetings Botnet Recycling Cache HaaS Line of Business Marketing SaaS Hacker Google Drive Start Menu Wireless Charging Save Time Google Apps Streaming Media The Internet of Things Physical Security Lifestyle Settings Flash Fraud Patch Management Authentication Current Events Data Warehousing Risk Management Human Resources Students Cleaning Tip of the week Workforce Insurance Cryptocurrency Travel eWaste Wireless Internet MSP Hard Drives Audit Mobile Content Filter webinar Mobile Computing Workplace Tips Users Computer Care Amazon Virtual Reality Scam Fiber-Optic Nanotechnology Knowledge Google Docs Staff Healthcare CrashOverride Audiobook Vendor Management Customer Service Remote Worker Wearable Technology Assessment Mobile Office Bluetooth Techology Transportation Domains Humor Video Games Wiring Books Webinar Internet Exlporer How to Television Automobile Twitter User Error Hybrid Cloud Benefits Public Speaking Presentation Best Practice IT solutions Troubleshooting Public Computer Hiring/Firing Lithium-ion battery Worker Loyalty Smart Technology Scalability Emergency 5G Quick Tips Fun Tech Support Internet exploMicrosoft Shadow IT Hosted Solution Safety Rootkit IBM Company Culture Employer Employee Relationship Files Regulation Experience Advertising Office WiFi Competition Content Customer Relationship Management Colocation Managing Stress IP Address Computer Accessories History Music Search Two Factor Authentication Relocation Politics

      Mobile? Grab this Article!

      QR-Code dieser Seite