Contact us today!

Professional Computer Associates Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Professional Computer Associates are here to help. Call us today at 845-876-6561 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, September 26 2018

Captcha Image


Tag Cloud

Security Tip of the Week Best Practices Cloud Technology Privacy Network Security Hackers Business Computing Malware Backup Hosted Solutions Managed IT Services Google VoIP Email Innovation Microsoft Mobile Devices Disaster Recovery Software Internet Productivity Data Business Business Continuity Data Backup Outsourced IT Ransomware Hardware Smartphones IT Services communications Efficiency Cybercrime IT Support Windows 10 Data Recovery Computer Cloud Computing Android Internet of Things Browser Tech Term Office BDR Saving Money Computers Workplace Tips Alert Server User Tips Network Windows Business Management Telephone Systems Save Money Smartphone Virtualization Cybersecurity Mobile Device Management Artificial Intelligence Upgrade Small Business Applications Miscellaneous Managed IT Facebook Chrome Communication Law Enforcement Microsoft Office Social Engineering Passwords Firewall Collaboration Social Media Quick Tips BYOD Gadgets Hacking Mobility App Router Automation Avoiding Downtime Office Tips Managed Service Provider How To Recovery Work/Life Balance Holiday Password Office 365 Private Cloud Money Productivity Bandwidth Managed IT Services Data Management HaaS Wi-Fi Remote Monitoring Bring Your Own Device Phishing Data Protection Gmail Business Intelligence Operating System VPN Budget Data Security Information Technology Health Training Redundancy Windows 10 Two-factor Authentication Proactive IT Flexibility Vulnerability Big Data Black Market Entertainment Encryption Mobile Computing Apps Google Drive Mobile Device Safety Spam Sports Risk Management Compliance Settings Analysis Cleaning Blockchain Identity Theft Value Employer-Employee Relationship Marketing User Error IT Management SaaS Connectivity Data Breach Document Management IT Support Word PDF IT Plan Government Virtual Assistant Streaming Media Charger Update Networking DDoS Save Time Meetings End of Support Internet Exlporer Wireless Electronic Medical Records Wearable Technology Computing Infrastructure Paperless Office Unsupported Software YouTube Apple Instant Messaging Unified Threat Management Data Storage CES Physical Security Legal Servers Automobile Worker Access Control USB Infrastructure Workers Hiring/Firing Smart Tech The Internet of Things eWaste HIPAA Computer Care Website Content Management Samsung Downtime Battery Comparison Information Patch Management File Sharing Spam Blocking Public Cloud Data loss Remote Computing Windows 7 Business Owner History Keyboard Wireless Technology Education Managed Service Scam Content Filtering Best Practice Credit Cards Shadow IT Data storage Solid State Drive Machine Learning OneNote Smart Office IT Consultant IaaS Trending Transportation Staff Scalability Skype Politics Wireless Charging Devices Wiring Supercomputer Cast Criminal NIST Fraud Inventory Touchpad Music Google Apps Outlook Excel Users Workforce People IoT Remote Monitoring and Maintenance Botnet Leadership Lifestyle Benefits Digital Signature Telephone System Audit Start Menu Uninterrupted Power Supply Fiber-Optic Fax Server Thought Leadership GDPR Current Events Google Docs Books IBM Cryptocurrency Netflix Distributed Denial of Service Amazon Internet exploMicrosoft Travel Assessment Humor Tip of the week Virtual Reality Telecommuting Mobile Office hacker Line of Business Root Cause Analysis IT solutions Content Filter Students Software Tips Smart Technology Strategy iPhone Search Computer Fan Mobile Cables Cache E-Commerce Knowledge Notifications Emergency Safe Mode Flash Amazon Web Services Rootkit Authentication Advertising Troubleshooting Password Manager Television Monitor HVAC Windows Server 2008 Worker Commute Remote Work Employer Employee Relationship Insurance MSP Unified Communications Storage Healthcare webinar NarrowBand Environment How to FENG Professional Services Wireless Internet Network Congestion Data Warehousing Voice over Internet Protocol Sync Mouse Content Online Shopping Nanotechnology Running Cable Hosted Solution Business Mangement Public Computer Reputation Techology Enterprise Content Management Emails Computer Accessories Practices Antivirus Going Green Augmented Reality Theft Robot Hard Drives Electronic Health Records Conferencing HBO Specifications Two Factor Authentication Accountants Files Tools Tech Support Hybrid Cloud Wire Multi-Factor Security Human Resources Relocation Video Games Business Technology Windows 10s Telephony Audiobook Evernote Vendor Management Screen Mirroring Lithium-ion battery Software as a Service Recycling SharePoint Customer Password Management Regulations Bluetooth Hosted Computing Laptop Remote Worker Experience Cortana Loyalty WiFi Addiction Frequently Asked Questions Chromecast Millennials Colocation Proactive IT solutions Thank You Company Culture CrashOverride Congratulations Managing Stress Regulation Administration Printers Twitter Webinar

Free Consultation

Free ConsultationSign up today for a
FREE Network Consultation
How secure is your IT infrastructure?
Let us evaluate it for free!

Sign up Now!