094 90 48200     Get SUPPORT

Aniar IT Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Aniar IT Services are here to help. Call us today at 094 90 48200 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, November 18 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Privacy Tech Term Google Cloud Business Computing User Tips Data Backup Email Data Recovery Hackers Innovation Network Security Hardware Microsoft Data Internet VoIP Malware Cloud Computing Browser Android Workplace Tips Business Managed IT Services Mobile Devices Communication Small Business Network Internet of Things Artificial Intelligence Backup IT Services Windows 10 Smartphones Communications Chrome How To Software Windows Cybercrime Collaboration Business Management Applications IT Support BDR Saving Money Cybersecurity Smartphone Information Computers Computer Server Word Hosted Solutions Efficiency Ransomware Gadgets Productivity Router Vulnerability Connectivity Money Office 365 Miscellaneous Outsourced IT Spam Business Continuity Facebook Mobile Device Management Two-factor Authentication Data Security Data Protection Passwords Avoiding Downtime Identity Theft Apps Phishing Telephone System Spam Blocking Comparison Microsoft Office Bring Your Own Device Sports Operating System Law Enforcement IT Management CES App Website Managed IT BYOD Fraud Encryption Scam Business Intelligence Update Infrastructure Upgrade Content Management Social Media Keyboard VPN IT Plan Remote Monitoring Windows 7 Password Blockchain OneNote Virtual Assistant Settings Managed IT services Virtualization Redundancy Unsupported Software Telephone Systems Managed Service Paperless Office Save Money Data Storage Social Engineering Firewall Computer Fan Holiday Password Management Sync Data loss Multi-Factor Security Criminal MSP Software Tips Millennials Digital Signature Servers Bing WiFi Business Mangement Smart Tech Electronic Medical Records Wire Entertainment Warranty Excel Google Apps Mobile Device The Internet of Things Addiction Unified Threat Management FENG Online Shopping NIST Cortana Alert File Sharing Value Workforce Credit Cards PDF HVAC Help Desk Flash Google Docs Gmail Data Management Machine Learning Printer Tip of the week Workers Access Control Big Data Specifications Mobile Computing Evernote Cleaning Cryptocurrency Telephony Trending Training Solid State Drive HaaS Meetings Recycling Devices Human Resources YouTube Mouse Windows Server 2008 Downtime Authentication Windows 10s Google Drive Cache Smart Office HBO Practices Safe Mode Screen Mirroring Remote Worker Audit Botnet Physical Security Telecommuting Amazon Networking Employer-Employee Relationship eWaste Thought Leadership Private Cloud Disaster Recovery Staff Microchip Root Cause Analysis Computer Care Bandwidth Wireless Internet Document Management Camera Outlook Government Charger Hosted Computing Skype Cast Wiring Travel Remote Work Amazon Web Services Accountants Enterprise Content Management Wi-Fi Voice over Internet Protocol Legal Automation Public Cloud Tools Work/Life Balance Search Engine Patch Management Password Manager Nanotechnology HIPAA USB Frequently Asked Questions Recovery Wireless Charging Inventory Augmented Reality Start Menu Tech Support Wireless Technology 5G Twitter IBM Safety Marketing Hacker CrashOverride Productivity Budget Customer Relationship Management Competition IP Address Managed Service Provider Compliance Users Customer Service Software as a Service Hiring/Firing Mobile Office Regulation Quick Tips Fun Domains Wireless Emergency Company Culture Windows 10 Public Speaking Presentation Managing Stress Lithium-ion battery Hard Drives Printers Search