XFER has been serving Michigan since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at XFER are here to help. Call us today at 734-927-6666 / 800-Get-XFER to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, September 20 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Technology Tip of the Week Privacy Microsoft Internet Cloud Best Practices Saving Money Backup Software Workplace Tips Managed Service Provider Business Computing Small Business Hackers Hosted Solutions Data Google Productivity Mobile Office Mobile Devices Hardware VoIP Email Gadgets Quick Tips Malware Network Security IT Support Network Efficiency Social Media Innovation Business Management IT Services Miscellaneous Server Business Continuity Smartphones Business Virtualization Upgrade Windows Communication Disaster Recovery Microsoft Office Managed IT Services Computer Users Communications Mobile Device Management User Tips Data Backup Passwords Android Browser Marketing Save Money Smartphone Alert WiFi Holiday Tech Term Vendor Management Mobile Computing Ransomware Data Recovery Operating System Windows 10 Internet of Things Remote Monitoring Cybercrime Outsourced IT Information Technology Avoiding Downtime Cloud Computing Computers Bring Your Own Device Apple BDR BYOD Best Practice History Big Data Remote Computing VPN IT Solutions Firewall The Internet of Things Artificial Intelligence Chrome Router Current Events Telephone Systems Automation Going Green Spam Employer-Employee Relationship Cybersecurity Trending Phone System Facebook Wireless Technology Application Collaboration IT Consultant Hacking Health Social Engineering Proactive IT Excel Office Managed IT Services App Budget Printer Lithium-ion Battery Bandwidth Money Windows 8 Networking Unified Threat Management Business Intelligence Applications Two-factor Authentication iPhone Mobility How To Recovery Business Managament Content Filtering Fax Server Maintenance Law Enforcement Data Protection Gmail PowerPoint Office 365 Antivirus Data Security Analytics Customer Relationship Management User Error Hard Drives Training Humor Mouse Outlook Managed IT Tutorials Virus Value Sports Phishing Windows 10 Apps Private Cloud Website Redundancy Compliance IT Support Flexibility Vulnerability Tech Support Blockchain Encryption Connectivity Entertainment Word Saving Time Retail Settings Identity Theft Downtime Google Drive File Sharing Memory Network Congestion Inbound Marketing IT Management Conferencing Productivity Tablet Administration Search Save Time Twitter Mobile Device Analysis Social Networking Office Tips Digital Payment Document Management Computer Repair Data Management Streaming Media Risk Management DDoS Managed Service Statistics Paperless Office OneNote Solid State Drive Update Data Storage IBM Skype Piracy Black Market Programming Comparison Instant Messaging Administrator Scam Leadership Augmented Reality Intranet Virtual Assistant Work/Life Balance Environment Data Breach Cleaning Windows 7 Password Running Cable Wireless Physical Security Human Resources Public Cloud Computer Accessories Wearable Technology SaaS Biometrics Workers IT service Hacker Social Credit Cards Best Available Data storage Data loss Access Control Bluetooth eWaste Smart Tech Internet Exlporer Servers People PDF Samsung Spam Blocking Touchscreen CES USB HaaS IT Plan End of Support Robot Webinar Safety Wi-Fi Machine Learning Government Online Currency Information YouTube Point of Sale Meetings Recycling Content Management Unsupported Software Video Surveillance Infrastructure Education Practices HIPAA Cost Management NarrowBand Sync Cables Print Server Hiring/Firing Accountants Business Technology Upgrades Analyitcs Webcam Uninterrupted Power Supply Windows Server 2008 Amazon Web Services nternet Crowdfunding Addiction Customers Remote Support Enterprise Content Management Computer Care Software Tips Advertising Remote Work Wiring Hosted Solution Customer Service Password Manager Distributed Denial of Service Files Company Culture Hosted Computing Proactive Keyboard Chromecast Telephony Unified Communications Law Firm IT Students Consultant Staff Online Shopping Cache Audit PC Care Macro Google Docs Password Management Scheduling Notifications LinkedIn Devices GDPR Cameras Netflix 3D Co-managed IT Botnet Business Mangement Data Warehousing Colocation Specifications Net Neutrality Inventory Remote Monitoring and Maintenance eBay Laptop Start Menu Theft Healthcare Licensing Root Cause Analysis Voice over Internet Protocol Digital Signature Windows 8.1 Update IoT Telephone System Virtual Reality Supercomputer Shadow IT Regulations Evernote Wireless Internet WIndows 7 Computer Fan Alerts SharePoint NIST HBO Hybrid Cloud Thought Leadership E-Commerce Printer Server Shortcut Travel Criminal Display IaaS Computing Infrastructure Millennials Line of Business Worker Commute Text Messaging Touchpad Mobile Cortana Debate Electronic Health Records User Relocation Multi-Factor Security Strategy Bloatware Knowledge Gaming Console Legal Wireless Charging Wire Managing Stress Domains FENG Work Station Cryptocurrency Science Frequently Asked Questions Fraud Content Filter Patch Management Monitor Screen Mirroring Workforce Authentication MSP 360 Emails Professional Services Google Apps Lifestyle Insurance Entrepreneur Flash Fiber-Optic Smart Office Electronic Medical Records Safe Mode Business Owner Tablets Help Desk Tip of the week Amazon Storage Windows 10s Reputation Software as a Service Hiring/Firing Charger Cast Internet exploMicrosoft Telecommuting Nanotechnology Remote Worker Windows Media Player Virtual Desktop Tools IT Security HVAC Video Games Automobile Public Computer Benefits Congratulations IT solutions Scalability Employer Employee Relationship CrashOverride Smart Technology Loyalty Books Experience How to Content Techology Two Factor Authentication Emergency Music Worker Regulation Audiobook Assessment Camera Rootkit Politics Television Printers Transportation Thank You Troubleshooting Webinar Battery

Sign up for our Newsletter!

  • Company Name *
  • First Name *
  • Last Name *