Home

About Us

IT Services

Understanding IT

News & Events

Blog

Support

Contact Us

Blog
  • Register

Alternative IT Solutions Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Alternative IT Solutions are here to help. Call us today at (0)20 8498 4300 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, November 12, 2018

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Cloud Business Computing Network Security Privacy Data Backup Email Google Hackers Malware Tech Term VoIp Managed IT Services Innovation Data Recovery Mobile Devices Data Cloud Computing Internet Managed IT Services Hardware Outsourced IT Hosted Solutions Microsoft User Tips Communication Software Communications IT Support Efficiency Saving Money Browser Android IT Services BDR Productivity Chrome Backup Internet of Things Network Workplace Tips Smartphones Small Business Artificial Intelligence Business Ransomware Business Management Business Continuity How To Cybersecurity Windows 10 Cybercrime Alert Two-factor Authentication Computer Applications Mobile Device Management Data Security Information Computers Windows Collaboration Router Money Server Data Protection Gadgets Smartphone Phishing BYOD IT Management Business Intelligence Managed IT Office 365 Remote Monitoring Telephone Systems Spam Identity Theft Disaster Recovery Connectivity Vulnerability Word Servers Social Media Save Money Miscellaneous Social Engineering Facebook Training Infrastructure Sports Scam Private Cloud Firewall CES Virtualization Workers Password Avoiding Downtime Voice over Internet Protocol Settings Content Management Update Law Enforcement Microsoft Office Managed Service VPN IT Plan Mobile Computing Unsupported Software Virtual Assistant Paperless Office Apps Passwords Blockchain Windows 7 Wi-Fi Holiday Document Management Employer-Employee Relationship Credit Cards Telephone System Value Data Storage Mobile Device App Work/Life Balance Networking OneNote Keyboard Operating System Bring Your Own Device Fraud Compliance Encryption Spam Blocking Redundancy Budget Website Comparison Upgrade Data Breach Gmail Thought Leadership Physical Security Amazon Sync Content Filtering Access Control Audit Travel Telecommuting Current Events File Sharing Human Resources Data loss Google Apps Smart Tech Specifications Supercomputer Enterprise Content Management Root Cause Analysis Tip of the week Government Automation webinar Warranty Recycling Amazon Web Services Google Drive Information Technology Lifestyle Authentication Data Warehousing Remote Work Knowledge Staff Smart Office Screen Mirroring Public Cloud HVAC Start Menu Millennials Unified Threat Management Password Management Charger Search Engine Cache Windows Server 2008 Conferencing MSP Printer eWaste FENG HBO Online Shopping Office Tips Leadership Entertainment Regulations Camera Password Manager Nanotechnology Computer Fan Network Congestion Samsung Digital Signature Cast Practices Tools Workforce Marketing NIST Bing Wireless Internet WiFi Electronic Medical Records Augmented Reality Hiring/Firing Mouse Outlook Mobility Evernote Accountants Machine Learning Big Data The Internet of Things Software Tips Mobile HaaS PDF Multi-Factor Security Hosted Computing Recovery Cryptocurrency Cleaning HIPAA USB Meetings Patch Management Google Docs Theft Netflix Remote Worker YouTube Proactive IT Administrator Legal Frequently Asked Questions Software as a Service IT Support Business Mangement Devices Black Market Professional Services IT Consultant Trending Inventory Solid State Drive Botnet Risk Management SaaS Safe Mode Computer Care Data Management Wire Flash Cortana Bandwidth Wiring Windows 10s Telephony Skype Flexibility IBM Microchip Criminal Addiction Downtime Excel Wireless Charging Save Time Project Management Television Regulation Strategy Healthcare Managed Service Provider GDPR Managing Stress VoIP Hacking Battery Utility Computing Fiber-Optic Line of Business Streaming Media Public Computer Analysis Electronic Health Records Loyalty Quick Tips Business Technology E-Commerce Insurance Help Desk Cables Safety Content Filter Thank You Windows 10 Consultation Computer Accessories Unified Communications Automobile Storage Congratulations Instant Messaging Rootkit Printers Business Owner Education Bluetooth Employer Employee Relationship Vendor Management Twitter Two Factor Authentication Proactive Virtual Private Network Assessment Students Bata Backup Worker IoT Company Culture Health Office Remote Monitoring and Maintenance

Latest News & Events

Alternative IT Solutions is proud to announce the launch of our new website at https://www.alternative-IT.co.uk. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our ser...

Contact Us

Learn more about what Alternative IT Solutions can do for your business.

Call Us Today
Call us today
(0)20 8498 4300

Avocet House, Trinity Park, Trinity Way
London, England E4 8TD