094 90 48200     Get SUPPORT

Aniar IT Services Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Aniar IT Services are here to help. Call us today at 094 90 48200 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, February 18 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Privacy Google Business Computing User Tips Tech Term Cloud Data Backup Network Security Mobile Devices Email Microsoft Data Data Recovery Hardware VoIP Hosted Solutions Hackers Cloud Computing Innovation Productivity Smartphone Communications Internet Malware Communication IT Services Workplace Tips Browser IT Support Android Backup Managed IT Services Artificial Intelligence Windows 10 Internet of Things Smartphones Business Chrome How To Efficiency Small Business Network Router Cybersecurity Outsourced IT Applications Business Continuity Computers Computer Information Windows Software Collaboration Word Gadgets Cybercrime Business Management Office 365 Mobile Device Saving Money BDR Spam Mobile Device Management Settings Encryption Data Security Two-factor Authentication Server Passwords Managed Service Data Protection Vulnerability Ransomware Holiday Miscellaneous Money Facebook Connectivity Software as a Service OneNote CES Virtualization Fraud Botnet Human Resources Wi-Fi Disaster Recovery Unsupported Software Infrastructure Windows 7 Managed IT services Data Storage Keyboard Content Management Redundancy Voice over Internet Protocol VPN Telephone Systems Password Virtual Assistant Apps Spam Blocking Social Engineering Blockchain Avoiding Downtime Automation Phishing Paperless Office Microsoft Office Bring Your Own Device Save Money Operating System Comparison IT Management App Google Docs Identity Theft Website BYOD Telephone System Law Enforcement Google Drive Telephony Upgrade Scam Machine Learning Managed IT Social Media Sports Private Cloud Business Intelligence IT Plan Access Control Remote Monitoring Update Cast Evernote Cleaning HBO Training YouTube Mouse Telecommuting Recycling Devices Google Search Smart Office Public Cloud Authentication Safe Mode Security Cameras Computer Care Skype Practices Networking Shortcuts Outlook Government Cache Remote Worker Data loss Amazon Microchip Augmented Reality Travel Computer Fan Remote Work eWaste Thought Leadership Save Time Patch Management Staff Document Management Camera Tools Work/Life Balance Software Tips Bandwidth Smartwatch Wiring Start Menu Charger Hosted Computing Enterprise Content Management Mobility Frequently Asked Questions Recovery Wireless Internet Sync Cortana Multi-Factor Security Alert Amazon Web Services Accountants Search Engine The Internet of Things FENG Legal Proactive IT Hacker WiFi Millennials Password Manager Nanotechnology Health USB Firewall Wireless Charging Inventory Password Management Social Excel HIPAA Servers Bing Big Data Criminal MSP Flash Meetings Digital Signature Entertainment Warranty Value Solid State Drive Workforce Business Mangement Smart Tech Employee Electronic Medical Records Wire Unified Threat Management Windows 10s Specifications Google Apps NIST Vendor Tip of the week Downtime Trending Screen Mirroring Online Shopping HVAC Help Desk Addiction File Sharing HaaS Employer-Employee Relationship Credit Cards PDF Printer Audit Physical Security Gmail Digital Signage Data Management Mobile Computing Workers Cryptocurrency Display Windows Server 2008 Root Cause Analysis Windows 10 Public Speaking Regulation Quick Tips Presentation Emergency Hard Drives Lithium-ion battery Search Company Culture Wireless Technology 5G Tech Support Safety IBM CrashOverride Managing Stress Productivity Marketing Printers Budget Competition Customer Relationship Management Managed Service Provider Twitter Net Neutrality IP Address Hiring/Firing Users Customer Service Fun ISP Mobile Office Domains Compliance Wireless