Home

About Us

IT Services

Understanding IT

News & Events

Blog

Support

Contact Us

Blog
  • Register

Alternative IT Solutions Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Alternative IT Solutions are here to help. Call us today at (0)20 8498 4300 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Saturday, February 16, 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Business Computing Cloud Network Security Privacy Google Data Backup User Tips Hosted Solutions Mobile Devices Email Tech Term Hackers Malware Managed IT Services Cloud Computing Data Recovery Data Productivity VoIp Communications Innovation IT Support Outsourced IT Microsoft Efficiency Internet Managed IT Services Hardware IT Services Communication Backup Smartphone Smartphones Internet of Things Software Network Artificial Intelligence BDR Small Business Saving Money Chrome Cybersecurity Router Business Browser Android Windows 10 Business Continuity Workplace Tips Gadgets Ransomware How To Alert Business Management Mobile Device Cybercrime Information Office 365 Applications Computer Mobile Device Management Data Security Computers Spam Money Holiday Collaboration Windows Word Phishing Data Protection Server Disaster Recovery Two-factor Authentication Managed IT Encryption Telephone Systems Facebook Settings Save Money BYOD IT Management Business Intelligence Remote Monitoring Managed Service Private Cloud Voice over Internet Protocol Wi-Fi Identity Theft Social Media Miscellaneous Social Engineering Connectivity Servers Software as a Service Vulnerability Value Botnet OneNote Operating System Website Automation Comparison Bring Your Own Device Work/Life Balance Firewall Spam Blocking Upgrade Compliance Scam Telephony Human Resources Sports Infrastructure Access Control CES Law Enforcement Avoiding Downtime Training Virtual Assistant Workers Password Update Google Drive Employer-Employee Relationship Content Management Mobile Computing Microsoft Office VPN Virtualization Apps App Paperless Office Telephone System IT Plan Blockchain Unsupported Software Networking Mobility Budget Credit Cards Windows 7 Machine Learning Document Management Passwords Google Docs Data Breach Data Storage Keyboard Fraud Redundancy Risk Management Frequently Asked Questions Current Events Business Mangement Devices Cortana webinar Skype Black Market Data Management Wire File Sharing Social Supercomputer Inventory Wireless Charging Cleaning Sync Solid State Drive Criminal Content Filtering Addiction Enterprise Content Management Amazon Flash Warranty Travel Downtime Telecommuting Excel Smartwatch IT Support Knowledge Windows 10s Gmail Thought Leadership Google Apps Conferencing Specifications Physical Security Vendor Unified Threat Management Government Computer Care Office Tips Leadership Information Technology Audit Lifestyle Password Management Search Engine Data loss Smart Tech Amazon Web Services MSP Health Printer Root Cause Analysis Remote Work Tip of the week Save Time Employee Network Congestion Recycling Start Menu Staff Millennials Smart Office Display Marketing Authentication Camera Regulations Data Warehousing Cache NIST Bing Screen Mirroring Online Shopping HVAC Augmented Reality Mouse Windows Server 2008 Entertainment Digital Signage HaaS Public Cloud eWaste Help Desk Netflix Tools FENG Digital Signature Workforce HBO Security Cameras Password Manager WiFi Nanotechnology Computer Fan Wireless Internet Cryptocurrency Shortcuts Proactive IT Cast Practices Evernote Remote Worker Charger Administrator Mobile Accountants Google Search IT Consultant Multi-Factor Security Samsung Bandwidth PDF Outlook Hacker SaaS Big Data Theft The Internet of Things HIPAA Software Tips USB Safe Mode Electronic Medical Records Flexibility IBM Hosted Computing Wiring Legal Trending Recovery Microchip Professional Services Meetings Patch Management YouTube Hiring/Firing Project Management Business Owner Students Regulation Employee/Employer Relationship Rootkit GDPR Bluetooth Bata Backup Utility Computing Two Factor Authentication Loyalty IoT Company Culture Line of Business Employer Employee Relationship ISP Vendor Management Public Computer Strategy Healthcare Quick Tips Safety Business Technology Worker Fiber-Optic E-Commerce Office Managing Stress Analysis Electronic Health Records Windows 10 VoIP Streaming Media Automobile Managed Service Provider Cables Insurance Hacking Battery Instant Messaging Content Filter Unified Communications Printers Storage Thank You Proactive Assessment Consultation Education Virtual Private Network eCommerce Computer Accessories Twitter Congratulations Remote Monitoring and Maintenance Net Neutrality Television

Latest News & Events

Alternative IT Solutions is proud to announce the launch of our new website at https://www.alternative-IT.co.uk. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our ser...

Contact Us

Learn more about what Alternative IT Solutions can do for your business.

Call Us Today
Call us today
(0)20 8498 4300

Avocet House, Trinity Park, Trinity Way
London, England E4 8TD