window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//cdn.mouseflow.com/projects/0148bb62-7ff8-46ae-a466-bf3fd13c7d09.js"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, December 10 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Network Security Cloud Best Practices Privacy Business Computing Data Backup Managed IT Services Hackers Hosted Solutions Data Recovery Malware Email Data VoIP Outsourced IT Innovation Mobile Devices Tech Term Google Microsoft Business Continuity Backup Cloud Computing User Tips Hardware Internet Software Internet of Things Saving Money Business BDR Efficiency Ransomware Communications IT Services Cybersecurity Communication Managed IT Services Small Business IT Support Cybercrime Android Smartphones Applications Network Browser Workplace Tips Disaster Recovery Chrome Artificial Intelligence Productivity Smartphone Business Management Gadgets Windows 10 Law Enforcement Managed IT Router How To IT Support Computer Collaboration Data Protection Server Windows Money Phishing Save Money BYOD Computers Office 365 Word Blockchain Business Intelligence Spam Avoiding Downtime Mobile Device Management Information Two-factor Authentication Data Security Virtualization Document Management Proactive IT Redundancy Passwords Bandwidth IT Management Mobile Device Apps Productivity Compliance Connectivity Voice over Internet Protocol Software as a Service Alert Vulnerability Firewall Encryption Training Identity Theft Miscellaneous Upgrade Social Engineering Servers Social Media Analysis App Telephone Systems Remote Monitoring Facebook Holiday Mobility Managed Service Password Keyboard Google Docs Information Technology Private Cloud Work/Life Balance Unified Threat Management Networking IT Plan Workers Virtual Assistant CES Sports Windows 7 Budget File Sharing Microsoft Office Comparison Big Data Settings Machine Learning Telephony Unsupported Software Scam Telephone System Content Management OneNote Data Storage Website Paperless Office Credit Cards Data Breach Access Control Update Smart Tech Employer-Employee Relationship Spam Blocking Business Owner Human Resources Fraud Automation Google Drive Data loss Wi-Fi Education Bring Your Own Device Mobile Computing Solid State Drive Value Operating System VPN Flexibility Infrastructure Augmented Reality Staff Healthcare Amazon Administrator Fiber-Optic Nanotechnology Hard Drives Business Technology Criminal Wire Windows Server 2008 Telecommuting FENG Virtual Private Network Practices Safe Mode Screen Mirroring Wireless Technology HBO Windows 10s Wiring Accountants HVAC Professional Services Computing Infrastructure Leadership Shortcuts Password Manager Storage The Internet of Things Save Time Netflix Proactive Digital Signature Electronic Health Records Sync Amazon Web Services Marketing Hacker Microchip Cables Patch Management Remote Work Risk Management Project Management Hosted Computing Cast Public Cloud Outlook Cortana SaaS GDPR Enterprise Content Management Tools Business Mangement Cleaning Remote Monitoring and Maintenance Online Shopping Current Events Unified Communications Devices Multi-Factor Security Virtual Reality Smart Office Regulations Users Warranty Inventory Government Managed Service Provider Addiction Frequently Asked Questions Specifications Audit E-Commerce IoT Password Management Root Cause Analysis End of Support Black Market Content Filtering webinar Gmail Trending Hacking Computer Care Line of Business Strategy YouTube Skype Evernote Instant Messaging Knowledge Search Engine Theft Thought Leadership Software Tips Worker Commute Emails Health Office Tips HIPAA Printer PDF Recycling Cache Excel Millennials Technology Tips Legal Entertainment Camera NIST Meetings Botnet Wireless Battery Conferencing Physical Security Lifestyle Windows 10 Samsung MSP Start Menu Wireless Charging HaaS USB Network Congestion Bing Google Apps Streaming Media Charger Students Flash Remote Computing Downtime Mouse Authentication Data Warehousing WiFi eWaste Wireless Internet Tip of the week Workforce Computer Fan Insurance Cryptocurrency Travel Data Management Remote Worker Mobile Recovery Electronic Medical Records IT Consultant Help Desk Content Filter Smart Technology IT solutions History Scalability Worker Relocation Tech Support Public Computer Search 5G Emergency IBM Loyalty Safety Shadow IT Hosted Solution Techology Experience Rootkit Humor Customer Relationship Management Content Internet Exlporer Competition Employer Employee Relationship Twitter User Error IP Address Music Utility Computing Politics Hybrid Cloud Customer Service Audiobook Computer Accessories Hiring/Firing Mobile Office Wearable Technology Two Factor Authentication Transportation Vendor Management Regulation Video Games CrashOverride Domains Quick Tips Assessment Fun Internet exploMicrosoft Books Bluetooth Automobile Company Culture How to Public Speaking Benefits Webinar Files Office Best Practice Television Printers Advertising Presentation Managing Stress Colocation Lithium-ion battery Troubleshooting

Mobile? Grab this Article!

QR-Code dieser Seite