XFER Blog

XFER has been serving Michigan since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at XFER are here to help. Call us today at 734-927-6666 / 800-438-9337 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, February 22 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Technology Tip of the Week Privacy Microsoft Internet Cloud Best Practices Saving Money Backup Workplace Tips Business Computing Software Managed Service Provider Hosted Solutions Hackers Data Small Business Google Mobile Devices Hardware VoIP Productivity Mobile Office Gadgets Network Security Malware Email Quick Tips Efficiency Network Innovation IT Support IT Services Business Management Social Media Business Business Continuity Smartphones Server Miscellaneous Upgrade Communication User Tips Virtualization Windows Communications Disaster Recovery Data Backup Computer Managed IT Services Microsoft Office Smartphone Users Data Recovery Mobile Device Management Passwords Browser Android Holiday Marketing Internet of Things WiFi Save Money Alert Tech Term Ransomware Outsourced IT Cybercrime Vendor Management Cloud Computing Artificial Intelligence BDR Mobile Computing Operating System Remote Monitoring Windows 10 Productivity Router Chrome Information Technology Automation Avoiding Downtime Cybersecurity Bring Your Own Device Apple BYOD Computers Firewall Managed IT Services VPN Spam Big Data Remote Computing Health Current Events IT Solutions The Internet of Things History Best Practice Collaboration Going Green Telephone Systems Social Engineering Printer Facebook Proactive IT Employer-Employee Relationship Phone System Wireless Technology Trending IT Consultant Application Hacking Bandwidth IT Support App Money Office Budget Lithium-ion Battery Mobility Mobile Device Windows 10 Excel Private Cloud Unified Threat Management Office 365 Networking Encryption Applications Business Intelligence iPhone Business Managament Training Mouse Two-factor Authentication How To Content Filtering Fax Server Maintenance Recovery Windows 8 Phishing Value Blockchain Sports Word PowerPoint Website Redundancy Law Enforcement User Error Data Security Gmail Humor Customer Relationship Management Outlook Antivirus Hard Drives Tutorials Settings Virus Google Drive Analytics Access Control File Sharing Managed IT Apps Save Time Information Data Protection Analysis Scam Tablet Search Data Management Office Tips Twitter Managed Service Document Management Vulnerability Streaming Media Risk Management Administrator Compliance Connectivity Identity Theft Flexibility Entertainment Voice over Internet Protocol Retail Saving Time Human Resources Inbound Marketing IT Management Social Servers Downtime Network Congestion Hacker Memory Administration Conferencing Software as a Service Social Networking Tech Support Digital Payment Machine Learning Wi-Fi Computer Repair Meetings Update OneNote Online Currency DDoS Point of Sale Piracy Comparison Paperless Office Recycling IBM Telephony Business Technology Data Storage Google Docs Solid State Drive Education Leadership Windows 7 Botnet Statistics Keyboard Black Market Work/Life Balance Data Breach Computer Accessories Wireless Virtual Assistant Physical Security Skype Instant Messaging Cleaning Password Programming Environment Public Cloud Workers Credit Cards SaaS Running Cable Healthcare Augmented Reality Intranet Telephone System Webinar Biometrics Wearable Technology Net Neutrality Data loss CES Fraud IT service Data storage Touchscreen IT Plan Help Desk Smart Tech eWaste Best Available Internet Exlporer Display Spam Blocking Content Management PDF Bluetooth Infrastructure HaaS End of Support People Unsupported Software Safety USB Government Samsung Video Surveillance Robot YouTube Safe Mode Reputation Charger Cast Backup and Disaster Recovery Entrepreneur Storage Windows Server 2008 Amazon Web Services Webcam Google Search Password Manager Tablets Nanotechnology Remote Worker Internet exploMicrosoft Macro HIPAA Software Tips Remote Work HVAC Security Cameras Hiring/Firing Hiring/Firing Practices Co-managed IT Windows Media Player Virtual Desktop NarrowBand Search Engine Unified Communications Accountants Customers Computer Care Staff Cost Management Addiction Uninterrupted Power Supply Virtual Private Network IT Security Hosted Solution Online Shopping ISP Business Mangement Upgrades Analyitcs Wiring Advertising Print Server PC Care Enterprise Content Management Employee/Employer Relationship Theft Hosted Computing Distributed Denial of Service Proactive Files nternet Crowdfunding 3D Data Warehousing Specifications Customer Service Students Chromecast Bing Remote Support Audit Scheduling Start Menu eBay Digital Signature Cache Project Management Netflix Regulations Evernote Consultant Root Cause Analysis File Versioning Travel Criminal Devices Notifications GDPR Law Firm IT Alerts HBO Password Management Company Culture Mobile Cortana Inventory Remote Monitoring and Maintenance Colocation Supercomputer Millennials Cameras Laptop Shortcuts Computer Fan Smartwatch IoT SharePoint LinkedIn Text Messaging Multi-Factor Security Strategy Wireless Internet Shadow IT Warranty Wireless Charging Licensing Gaming Console Multiple Versions Virtual Reality Thought Leadership E-Commerce Hybrid Cloud Work Station Frequently Asked Questions WIndows 7 NIST Employee Professional Services Google Apps IaaS Line of Business Computing Infrastructure Knowledge Workforce Printer Server Shortcut Electronic Health Records Touchpad eCommerce Windows 8.1 Update FENG Relocation Lifestyle Worker Commute Wire Microchip Legal Patch Management Flash Fiber-Optic User Cryptocurrency Monitor Screen Mirroring Restore Data Bloatware Content Filter Camera Debate 360 Emails Tip of the week Amazon Managing Stress Domains Digital Signage Tools Science Authentication MSP Telecommuting Vendor Electronic Medical Records Insurance Business Owner Smart Office Windows 10s Sync Cables Printers Troubleshooting Webinar Battery Automobile Public Computer Video Games Benefits Cryptomining IT solutions Employer Employee Relationship CrashOverride Scalability Smart Technology Loyalty Books Experience Content How to Two Factor Authentication Techology Emergency Worker Music Audiobook Regulation Assessment Thank You Rootkit Politics Television Congratulations Utility Computing Transportation

Sign up for our Newsletter!

  • Company Name *
  • First Name *
  • Last Name *