XFER has been serving Michigan since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at XFER are here to help. Call us today at 734-927-6666 / 800-Get-XFER to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, November 15 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Technology Tip of the Week Privacy Microsoft Internet Cloud Best Practices Saving Money Backup Software Workplace Tips Managed Service Provider Business Computing Data Hackers Small Business Hardware Hosted Solutions Google Mobile Devices Productivity Mobile Office VoIP Gadgets Email Malware Quick Tips Network Security Network Innovation Efficiency IT Support Social Media Business Business Management IT Services Miscellaneous Server Business Continuity Smartphones Upgrade Virtualization Communication Windows Disaster Recovery Communications Computer Data Backup User Tips Managed IT Services Microsoft Office Users Passwords Mobile Device Management Browser Android Data Recovery Marketing WiFi Save Money Smartphone Alert Ransomware Holiday Tech Term Vendor Management BDR Outsourced IT Mobile Computing Cybercrime Remote Monitoring Windows 10 Chrome Operating System Internet of Things Bring Your Own Device Apple BYOD Cloud Computing Computers Information Technology Avoiding Downtime Firewall Big Data Remote Computing Router Telephone Systems Current Events IT Solutions Going Green Cybersecurity The Internet of Things Artificial Intelligence Best Practice History Automation VPN Phone System Printer Employer-Employee Relationship Facebook Spam Wireless Technology Managed IT Services IT Consultant Health Application Trending Collaboration Hacking Social Engineering Money Proactive IT Office Lithium-ion Battery Budget Excel Bandwidth App Networking iPhone Mouse Business Intelligence Content Filtering Business Managament Two-factor Authentication Mobility Fax Server Recovery Maintenance How To Unified Threat Management Windows 8 Applications Productivity Windows 10 Customer Relationship Management Hard Drives Training Gmail User Error Humor Managed IT Data Protection Outlook Antivirus Blockchain Tutorials Virus Analytics Apps Private Cloud Redundancy Data Security Information Law Enforcement Office 365 PowerPoint Encryption Value Sports Website Phishing Compliance Document Management Streaming Media Risk Management Google Drive Flexibility IT Support Entertainment Inbound Marketing Vulnerability Retail Settings Saving Time Administration Word Mobile Device Network Congestion Social Networking Downtime Digital Payment Computer Repair File Sharing Memory Data Management Identity Theft Conferencing Analysis Save Time Tech Support IT Management Administrator Tablet Search Servers Office Tips Scam Connectivity Twitter Point of Sale IT Plan SaaS Recycling Education Virtual Assistant Data storage Content Management Social Statistics OneNote Unsupported Software Instant Messaging Infrastructure Data Storage Skype eWaste Environment Programming Internet Exlporer Telephone System Update Human Resources Keyboard PDF Touchscreen Wi-Fi Access Control Work/Life Balance Data Breach Running Cable HaaS End of Support Biometrics Augmented Reality Intranet Safety Comparison Government Wearable Technology YouTube IT service Webinar Smart Tech Meetings Hacker Workers Windows 7 Video Surveillance Machine Learning Best Available DDoS Data loss Voice over Internet Protocol Bluetooth Solid State Drive Black Market IBM USB People Credit Cards Robot Piracy Managed Service Samsung Paperless Office Spam Blocking Leadership Wireless Physical Security Cleaning Password CES Fraud Public Cloud Computer Accessories Online Currency Co-managed IT Hosted Computing Proactive Business Owner Workforce Colocation Cost Management eBay Students Bing Windows 10s Professional Services Laptop Google Apps Charger Cast SharePoint Lifestyle Upgrades Analyitcs Cache Project Management IT Security Flash Shadow IT Fiber-Optic Alerts Software as a Service Devices GDPR HIPAA Print Server Tip of the week Amazon Hybrid Cloud Customer Service Password Management Hiring/Firing Inventory Remote Monitoring and Maintenance nternet Crowdfunding IaaS Telecommuting Computing Infrastructure Text Messaging Healthcare Remote Support Tools Touchpad Consultant Computer Care Relocation Gaming Console Wireless Internet Warranty Hosted Solution Sync Cables Legal Work Station IoT Company Culture Monitor Thought Leadership E-Commerce Law Firm IT Windows Server 2008 Amazon Web Services Cameras NIST Line of Business Software Tips Remote Work Electronic Health Records Audit Password Manager Licensing LinkedIn Virtual Reality Wire Microchip Netflix Telephony Unified Communications WIndows 7 Net Neutrality Google Docs Reputation Staff Content Filter Camera Online Shopping Printer Server Shortcut Cryptocurrency Root Cause Analysis Business Mangement User Authentication MSP Supercomputer Internet exploMicrosoft Worker Commute Help Desk Computer Fan Windows 8.1 Update Botnet Insurance Data Warehousing Specifications Bloatware Smart Office Display Start Menu NarrowBand Theft Managing Stress Domains Customers Digital Signature Webcam Science Storage Debate Regulations Uninterrupted Power Supply Evernote Safe Mode Travel Criminal Nanotechnology Remote Worker Knowledge HBO Advertising HVAC FENG Practices Distributed Denial of Service Millennials Files Entrepreneur Search Engine Patch Management Mobile Chromecast Cortana Screen Mirroring Multi-Factor Security Strategy Tablets Addiction Virtual Private Network 360 Emails Wireless Charging PC Care Accountants Business Technology Hiring/Firing Scheduling Macro Wiring Frequently Asked Questions Notifications Windows Media Player 3D Virtual Desktop Enterprise Content Management Electronic Medical Records Television Transportation How to Troubleshooting Webinar Techology Automobile Public Computer Benefits IT solutions Employer Employee Relationship CrashOverride Smart Technology Regulation Loyalty Books Experience Battery Content Two Factor Authentication Thank You Utility Computing Emergency Video Games Printers Music Worker Audiobook Assessment Congratulations Scalability Rootkit Politics

Sign up for our Newsletter!

  • Company Name *
  • First Name *
  • Last Name *
      • Company Name
      • First Name *
      • Last Name *
      • Phone *
      • Phone Ext.
      • Comments:
      • Yes, subscribe me to: