XFER has been serving Michigan since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at XFER are here to help. Call us today at 734-927-6666 / 800-Get-XFER to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, July 19 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Technology Tip of the Week Privacy Microsoft Internet Cloud Saving Money Best Practices Backup Software Managed Service Provider Workplace Tips Business Computing Small Business Productivity Google Hackers Data Hosted Solutions Mobile Office Mobile Devices Hardware VoIP Quick Tips Gadgets Email Malware Efficiency IT Support Network Social Media Business Management Innovation Network Security Business Continuity Upgrade Smartphones IT Services Server Virtualization Business Windows Miscellaneous Disaster Recovery Communication Microsoft Office Managed IT Services Communications Computer Users Mobile Device Management Passwords Android User Tips Browser Data Backup Marketing Smartphone WiFi Holiday Save Money Alert Vendor Management Data Recovery Ransomware Cybercrime Operating System Mobile Computing Remote Monitoring Windows 10 Bring Your Own Device Apple BYOD Internet of Things Computers Information Technology BDR Avoiding Downtime Outsourced IT Current Events Big Data Remote Computing Router Best Practice History IT Solutions Going Green Chrome The Internet of Things Cloud Computing Tech Term VPN Telephone Systems Health IT Consultant Cybersecurity Application Trending Collaboration Hacking Automation Social Engineering Firewall Employer-Employee Relationship Phone System Spam Wireless Technology Budget Excel Artificial Intelligence Bandwidth App Printer Facebook Money Proactive IT Office Lithium-ion Battery Fax Server Content Filtering Mobility Managed IT Services Maintenance Recovery Windows 8 How To Networking iPhone Business Managament Two-factor Authentication Business Intelligence Analytics Apps Managed IT PowerPoint Unified Threat Management Website Value Data Protection User Error Phishing Gmail Humor Private Cloud Outlook Customer Relationship Management Tutorials Hard Drives Redundancy Virus Mouse Data Security Law Enforcement Office 365 Antivirus Saving Time Administration Network Congestion Mobile Device Downtime Tech Support Social Networking Digital Payment Memory Google Drive Computer Repair Conferencing Save Time Productivity Office Tips Connectivity Tablet Sports Search Twitter Windows 10 Blockchain Compliance Document Management Flexibility Word Entertainment Streaming Media Risk Management Data Management Vulnerability Inbound Marketing Retail Identity Theft Biometrics Encryption Smart Tech Black Market Intranet IT service Touchscreen Running Cable Work/Life Balance Data Breach Credit Cards Cleaning Password Hacker IT Management Wireless Physical Security Wearable Technology Servers Public Cloud Workers Analysis CES File Sharing SaaS Video Surveillance Best Available IT Plan Robot Data loss USB Data storage Scam Bluetooth Paperless Office Content Management People Spam Blocking Infrastructure Internet Exlporer Piracy Samsung Unsupported Software eWaste IBM PDF Administrator Leadership HaaS End of Support Online Currency Update Safety Wi-Fi YouTube Computer Accessories Point of Sale Government Recycling Comparison Meetings Education Windows 7 OneNote Training Statistics IT Support Settings Environment DDoS Social Solid State Drive Skype Access Control Data Storage Human Resources Webinar Programming Regulations Evernote Advertising Gaming Console Company Culture Licensing Voice over Internet Protocol Digital Signature Applications Work Station Law Firm IT Wire Keyboard Augmented Reality Cryptocurrency Audit WIndows 7 Travel Criminal Chromecast Help Desk Content Filter Virtual Reality HBO Distributed Denial of Service Files Machine Learning Netflix Printer Server Shortcut Mobile Cortana LinkedIn Authentication Millennials Worker Commute Wireless Charging Notifications Net Neutrality Insurance Root Cause Analysis User Multi-Factor Security Strategy Smart Office Windows 8.1 Update Safe Mode Computer Fan Managing Stress Domains Laptop Storage Supercomputer Bloatware Frequently Asked Questions Fraud Colocation HVAC Professional Services Google Apps Shadow IT Nanotechnology Science Workforce SharePoint Display Flash Fiber-Optic Hybrid Cloud Practices Lifestyle Debate Computing Infrastructure Macro Webcam Accountants Business Technology FENG Software as a Service Touchpad Addiction Knowledge Entrepreneur Tip of the week Amazon IaaS Enterprise Content Management Patch Management Tools Legal Tablets Telecommuting Relocation Co-managed IT Emails Windows Media Player Virtual Desktop Sync Cables Hosted Computing Screen Mirroring Hiring/Firing Monitor Students 360 Amazon Web Services Virtual Assistant Electronic Medical Records PC Care Cache Cost Management Windows Server 2008 Password Management Windows 10s Password Manager 3D Devices Business Owner Upgrades Analyitcs Software Tips Remote Work Scheduling Healthcare Customer Service Telephony Unified Communications eBay Inventory Charger Cast Reputation IT Security Online Shopping Internet exploMicrosoft IoT Telephone System Hiring/Firing Consultant Google Docs Staff Alerts Print Server Wireless Internet HIPAA Instant Messaging Remote Support NIST Botnet Business Mangement NarrowBand nternet Crowdfunding Thought Leadership Electronic Health Records Hosted Solution Cameras Start Menu Theft Uninterrupted Power Supply Text Messaging Computer Care Data Warehousing Specifications Customers Employer Employee Relationship CrashOverride Smart Technology Scalability Books Thank You Loyalty Experience Two Factor Authentication How to Content Emergency Congratulations Techology Worker Music Audiobook Assessment Rootkit Politics Transportation Television Troubleshooting Webinar Battery Benefits Video Games Automobile Public Computer IT solutions

Sign up for our Newsletter!

  • Company Name *
  • First Name *
  • Last Name *