window._mfq = window._mfq || []; (function() { var mf = document.createElement("script"); mf.type = "text/javascript"; mf.async = true; mf.src = "//cdn.mouseflow.com/projects/0148bb62-7ff8-46ae-a466-bf3fd13c7d09.js"; document.getElementsByTagName("head")[0].appendChild(mf); })();
407-478-6600    Get SUPPORT

TaylorWorks Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at TaylorWorks are here to help. Call us today at 407-478-6600 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, October 18 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Tag Cloud

Tip of the Week Security Technology Network Security Cloud Best Practices Privacy Managed IT Services Business Computing Hackers Data Backup Email Malware VoIP Data Hosted Solutions Outsourced IT Data Recovery Mobile Devices Tech Term Google Microsoft Innovation Backup Internet Software Business Continuity Internet of Things Saving Money Cloud Computing IT Services Hardware Ransomware BDR Communication Small Business Cybersecurity IT Support Efficiency User Tips Android Communications Smartphones Applications Browser Disaster Recovery Cybercrime Artificial Intelligence Productivity Computer Network Gadgets Managed IT Services Router Windows 10 Law Enforcement Managed IT Business Workplace Tips How To Two-factor Authentication Data Protection Virtualization IT Support Smartphone Money Business Management Collaboration BYOD Windows Business Intelligence Phishing Chrome Save Money Computers Data Security Mobile Device Management Avoiding Downtime Facebook Passwords Telephone Systems Apps Server Connectivity Identity Theft Bandwidth Mobility Proactive IT Productivity Information Document Management Word Alert Compliance Office 365 Vulnerability Miscellaneous Blockchain Social Engineering Upgrade Firewall Social Media Training Spam Analysis Redundancy IT Management App Remote Monitoring VPN Wi-Fi Infrastructure Flexibility IT Plan Solid State Drive Spam Blocking Password Automation Information Technology Windows 7 Business Owner Private Cloud Comparison Education Bring Your Own Device Holiday Unsupported Software Value Operating System CES Sports Data Storage File Sharing Budget Microsoft Office Keyboard Encryption Machine Learning Mobile Device Servers Credit Cards Content Management Networking Work/Life Balance Update Unified Threat Management Big Data Managed Service Website Workers Fraud Paperless Office Access Control Settings OneNote Data loss Smart Tech Virtual Assistant Scam Mobile Computing Employer-Employee Relationship Data Breach Telephone System Worker Commute E-Commerce Professional Services Conferencing HIPAA HBO Content Filter Sync Amazon Web Services Staff Healthcare Network Congestion Legal Entertainment Voice over Internet Protocol Fiber-Optic Nanotechnology Samsung Battery Line of Business Criminal Wire Downtime Printer Cast Software as a Service Hard Drives Practices Safe Mode Charger Augmented Reality USB Remote Work Computer Fan Camera Tools Accountants HVAC Wireless Technology Remote Computing Outlook Password Manager Storage MSP Telephony Online Shopping Digital Signature Computing Infrastructure Electronic Health Records Electronic Medical Records IT Consultant Multi-Factor Security Cables Marketing Hacker Data Management Mouse Government Hosted Computing The Internet of Things Recovery Regulations FENG Root Cause Analysis Public Cloud Enterprise Content Management Frequently Asked Questions Specifications Business Mangement Remote Worker Skype Evernote Leadership Software Tips Trending Unified Communications Cortana Devices Windows 10s Smart Office Inventory Netflix Gmail Addiction Users Save Time Virtual Private Network Meetings Botnet Managed Service Provider IoT Password Management Business Technology Excel Millennials Wiring Patch Management Start Menu Wireless Charging Strategy End of Support YouTube Risk Management Physical Security Lifestyle Theft Thought Leadership SaaS Flash Current Events Data Warehousing Cleaning Proactive Recycling Health Cache Office Tips Project Management Travel PDF NIST Tip of the week Workforce Audit Virtual Reality GDPR Mobile webinar Wireless Google Apps Technology Tips Streaming Media Amazon Human Resources Students HaaS Knowledge Google Docs Authentication Computer Care Windows 10 Black Market Remote Monitoring and Maintenance Content Filtering eWaste Wireless Internet Hacking Warranty Screen Mirroring Insurance Google Drive Cryptocurrency Emails Instant Messaging Windows Server 2008 Telecommuting Assessment Transportation Advertising Managing Stress Bluetooth Presentation Video Games Office Colocation Lithium-ion battery Books History Automobile Webinar How to Regulation Television Tech Support Benefits Search 5G Relocation Safety Best Practice IBM Techology IT solutions Troubleshooting Twitter Public Computer Printers Smart Technology Worker Scalability Humor Emergency Internet Exlporer Competition Loyalty Customer Relationship Management User Error IP Address Shadow IT Hosted Solution Hybrid Cloud Rootkit Experience Customer Service Employer Employee Relationship Mobile Office Content WiFi Hiring/Firing Domains Music Fun Internet exploMicrosoft Company Culture Computer Accessories Politics Quick Tips Two Factor Authentication Audiobook Files CrashOverride Vendor Management Public Speaking Wearable Technology

Mobile? Grab this Article!

QR-Code dieser Seite