Contact us today!

Professional Computer Associates Blog

Professional Computer Associates has been serving the Red Hook area since 1999, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Professional Computer Associates are here to help. Call us today at 845-876-6561 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, July 21 2018

Captcha Image


Tag Cloud

Security Tip of the Week Best Practices Technology Cloud Privacy Hackers Network Security Business Computing Backup Hosted Solutions Malware Managed IT Services Google VoIP Disaster Recovery Mobile Devices Microsoft Software Productivity Business Internet Email Business Continuity Data Innovation Outsourced IT Data Backup Efficiency Cybercrime communications Ransomware Smartphones IT Support Windows 10 Computer Android Data Recovery Hardware Cloud Computing IT Services Browser BDR Internet of Things Office Tech Term Alert Telephone Systems Computers Server Windows Business Management Saving Money Network Upgrade User Tips Mobile Device Management Cybersecurity Small Business Smartphone Virtualization Chrome Workplace Tips Quick Tips BYOD Social Engineering Managed IT Microsoft Office Collaboration Save Money Law Enforcement How To Productivity Passwords Recovery App Firewall Private Cloud Bandwidth Artificial Intelligence Hacking Password Facebook Office Tips Managed Service Provider Mobility Work/Life Balance Holiday Router Money Communication Office 365 Avoiding Downtime Social Media Miscellaneous Applications Data Security Health Remote Monitoring Information Technology Redundancy VPN Budget Data Management Bring Your Own Device Business Intelligence Operating System Flexibility Wi-Fi Gmail Two-factor Authentication Proactive IT Data Protection HaaS Phishing Automation Spam Big Data Safety Connectivity Vulnerability Risk Management Gadgets Managed IT Services Employer-Employee Relationship Value Black Market Document Management Identity Theft Google Drive Blockchain Cleaning Windows 10 Apps Word SaaS Compliance Marketing User Error Mobile Device Entertainment Data Breach Charger The Internet of Things Analysis Networking Wearable Technology Sports Spam Blocking Electronic Medical Records Data loss Solid State Drive Public Cloud Paperless Office Remote Computing Hiring/Firing Computer Care Update HIPAA Wireless Technology IT Support Samsung PDF Patch Management DDoS Business Owner CES Computing Infrastructure Website Keyboard Smart Tech Data Storage Workers Scam Physical Security Mobile Computing Content Management Meetings Save Time Wireless Apple Credit Cards Downtime Windows 7 Worker Automobile History USB IT Management eWaste OneNote Settings IT Plan Legal Best Practice Battery Shadow IT Data storage Training Government Streaming Media End of Support Access Control Unsupported Software Servers Education Internet Exlporer Infrastructure YouTube Comparison Encryption Content Filtering Humor Wire Flash Password Manager Online Shopping iPhone Password Management Politics Hard Drives webinar People Advertising Specifications Notifications Nanotechnology Video Games Monitor Smart Office Sync Users Business Mangement Fax Server Evernote Unified Threat Management NIST Software as a Service NarrowBand Accountants Conferencing Mobile Office IBM Millennials Books HBO Scalability Reputation Telephony Virtual Reality Recycling Windows 10s IT solutions Files Cryptocurrency Screen Mirroring Wireless Charging Supercomputer Hybrid Cloud Workforce Emergency Devices Frequently Asked Questions Instant Messaging Customer Students Skype Worker Commute Criminal Employer Employee Relationship Colocation Safe Mode Google Docs Chromecast IoT Cast Fiber-Optic Current Events Telecommuting Thought Leadership Excel Antivirus Search Computer Accessories Healthcare Start Menu Audit File Sharing How to Uninterrupted Power Supply Cables Remote Work Content Filter Tip of the week Bluetooth Electronic Health Records Mobile Distributed Denial of Service Computer Fan WiFi Loyalty hacker Business Technology Voice over Internet Protocol Experience Insurance Techology Knowledge Unified Communications Transportation Storage Windows Server 2008 Machine Learning Professional Services FENG Virtual Assistant Multi-Factor Security Music Practices Data Warehousing Network Congestion Theft Emails Benefits Tools Mouse Human Resources Assessment Telephone System Trending Going Green Hosted Computing Tech Support Cortana Fraud Smart Technology Robot Addiction Regulations Rootkit Relocation Staff Television Lifestyle Lithium-ion battery Troubleshooting Laptop Inventory Environment IT Consultant Running Cable Google Apps Amazon Cache HVAC Botnet Content Digital Signature IaaS Leadership Public Computer Hosted Solution Touchpad Netflix Amazon Web Services Two Factor Authentication Outlook Wireless Internet Vendor Management Enterprise Content Management Travel Audiobook Strategy Root Cause Analysis SharePoint Internet exploMicrosoft Authentication Software Tips Thank You Administration Twitter Company Culture Congratulations Webinar Managing Stress IT solutions CrashOverride

Free Consultation

Free ConsultationSign up today for a
FREE Network Consultation
How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!