094 90 48200     Get SUPPORT

Aniar IT Services Blog

2 minutes reading time (490 words)

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Aniar IT Services are here to help. Call us today at 094 90 48200 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, July 23 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Privacy Google Microsoft Email Tech Term Business Computing Cloud Data Backup Malware Cloud Computing Android VoIP Small Business How To Data Recovery Hackers Innovation User Tips Backup Network Security Internet Data Communication Computers Chrome Software Cybercrime Windows Browser Artificial Intelligence Collaboration Cybersecurity Smartphone Internet of Things Communications Hardware Mobile Devices Managed IT Services Two-factor Authentication Word Data Security Ransomware Router Money Efficiency Data Protection Network Office 365 BDR Vulnerability Business Management Saving Money Smartphones Business Connectivity Spam Mobile Device Management Windows 10 Telephone Systems Facebook Remote Monitoring Computer Social Engineering IT Plan Infrastructure OneNote Content Management Passwords Avoiding Downtime Phishing Virtualization VPN Password Comparison Unsupported Software Apps Blockchain Data Storage Microsoft Office Hosted Solutions Law Enforcement Spam Blocking Website Managed IT Update Identity Theft Business Intelligence Bring Your Own Device Upgrade Outsourced IT Operating System IT Management Business Continuity IT Support App Windows 7 BYOD Paperless Office IT Services Managed IT services Redundancy CES Applications Wi-Fi Patch Management Recycling Devices Servers Employer-Employee Relationship Fraud Tools Encryption Work/Life Balance Audit Physical Security Authentication Entertainment Root Cause Analysis Start Menu Human Resources Telephone System Private Cloud Frequently Asked Questions Recovery Sync Multi-Factor Security Cache NIST Settings Cast Keyboard Practices eWaste Thought Leadership HVAC Amazon Millennials Excel Bandwidth Machine Learning Staff Public Cloud The Internet of Things Wireless Internet Cryptocurrency Charger Hosted Computing Flash Legal Google Docs Automation Workplace Tips Server Data loss Gadgets Amazon Web Services Value Accountants Workforce Computer Fan Tip of the week Password Manager Nanotechnology YouTube Specifications Software Tips Big Data Telephony HIPAA Trending USB Safe Mode Wireless Charging Inventory Smart Office HaaS Criminal Scam Networking Cortana Alert Holiday FENG Windows Server 2008 Business Mangement Smart Tech Digital Signature Electronic Medical Records Wire Virtual Assistant HBO Google Apps Mobile Device Document Management Addiction Enterprise Content Management Social Media Online Shopping Botnet Productivity Telecommuting Gmail Computer Care Meetings Credit Cards PDF Disaster Recovery Solid State Drive Downtime Skype Data Management Sports Save Money Windows 10s Google Drive Outlook Workers Government Access Control Voice over Internet Protocol Password Management Screen Mirroring Evernote Travel Cleaning Remote Work Presentation Lithium-ion battery Augmented Reality Wireless Technology 5G WiFi Tech Support Hard Drives IBM Safety Search Productivity Marketing Hacker Budget Customer Relationship Management Competition CrashOverride IP Address Twitter Users Miscellaneous Company Culture Customer Service Managed Service Provider Mobile Office Domains Wireless Managing Stress Hiring/Firing Emergency Windows 10 Public Speaking Fun