Mavericks Blogs

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Mavericks are here to help. Call us today at (440) 305-5514 to have your password strategy assessed by the professionals.

Comic by XKCD.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, February 19 2019

Captcha Image

Mobile? Grab this Article!

QR-Code

Tag Cloud

Tip of the Week Security Technology Best Practices Tech Term Privacy User Tips Hosted Solutions Business Computing Data Data recovery Network Security Productivity Mobile Devices Communications Innovation Email Cloud Google Data Backup Cloud Computing Internet of Things Malware IT Services Smartphone Workplace Tips Internet IT Support Hardware Smartphones Artificial Intelligence VoIp Communication Saving Money Business Applications Network BDR Backup Information Browser Windows 10 Router Hackers Mobile Device Outsourced IT Miscellaneous Connectivity Android Data Protection Efficiency Holiday Business Management Encryption Chrome Microsoft Gadgets Computer Managed Service Windows Small Business Managed IT Services Access Control Disaster Recovery Computers Vulnerability Two-factor Authentication Comparison Managed IT services Servers Virtual Assistant Machine Learning Password Cybercrime Word Save Money Passwords Identity Theft Software as a Service CES Facebook Server Office 365 Business Intelligence Cybersecurity Telephone System Content Management VPN Human Resources Money Fraud Blockchain Paperless Office Keyboard Settings Infrastructure How To Voice over Internet Protocol Sports Social Engineering Automation Business Continuity Help Desk Accountants Entertainment Mobile Computing Health Digital Signature Managed IT Enterprise Content Management Administrator data-driven marketplace Practices Smart Office Evernote Remote Worker Security Cameras Staff Scam Proactive IT Business Mangement BYOD Upgrade Amazon MSP Telephony Electronic Medical Records Millennials PDF Telephone Systems Spam Authentication Charger Employee Law Enforcement Password Management IT Management WiFi top-line performance Specifications Wiring Wi-Fi Employer-Employee Relationship Virtualization Warranty Mobile Device Management Windows 7 Amazon Web Services File Sharing Mobility Remote Monitoring Devices HVAC Workforce Password Manager Update Website Phishing Wireless Charging Digital Signage NIST Telecommuting Microchip Legal business intelligence Hosted Computing Firewall Hacker Workers Printer Gmail USB Social Media Social Data Management Collaboration Cache Credit Cards Google Drive Ransomware Bandwidth YouTube Camera Google Search Cryptocurrency Remote Work Search Engine Criminal organizations need Inventory Document Management Unified Threat Management Botnet Alert Mouse Recycling Wire Online Shopping Augmented Reality Vendor Cortana Thought Leadership Private Cloud Apps Bring Your Own Device Google Docs Nanotechnology Addiction Safe Mode Microsoft Office Bing Smartwatch Software eWaste Disaster Recovery Systems Organizations today Cleaning OneNote Training Display Google Apps IT Plan Networking Save Time Big Data Data Security Wireless Internet Shortcuts HIPAA Smart Tech Work/Life Balance Compliance Quick Tips Net Neutrality Thank You Regulation ISP Congratulations Twitter Company Culture Printers Managing Stress