About Us

IT Services

Understanding IT

News & Events



Contact Us

  • Register

Alternative IT Solutions Blog

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Alternative IT Solutions are here to help. Call us today at (0)20 8498 4300 to have your password strategy assessed by the professionals.

Comic by XKCD.

Cryptomining is Inspiring Cybercrime
Know Your Tech: CMS


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, September 20, 2018
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Cloud Business Computing Privacy Network Security Email Data Backup Tech Term Google Hackers Malware Managed IT Services VoIp Managed IT Services Cloud Computing Innovation Outsourced IT Mobile Devices Microsoft IT Support Internet Hosted Solutions Data Recovery Software Data Saving Money Efficiency Hardware Android Backup User Tips Internet of Things Small Business Communication IT Services Artificial Intelligence Ransomware BDR Cybercrime How To Cybersecurity Communications Alert Network Smartphones Phishing Data Protection Two-factor Authentication Browser Mobile Device Management Data Security Productivity Computers Business Management Business Continuity Windows Collaboration Windows 10 Gadgets Chrome Router Money Smartphone Applications Facebook Word Social Engineering IT Management BYOD Business Business Intelligence Managed IT Telephone Systems Connectivity Spam Office 365 Workplace Tips Disaster Recovery Remote Monitoring Server Identity Theft Vulnerability Save Money Social Media Virtual Assistant Computer Credit Cards Budget Training Password Mobile Device Data Breach Content Management Servers VPN Redundancy Virtualization Private Cloud Website Paperless Office Workers Upgrade Blockchain Firewall Comparison Miscellaneous Document Management Passwords Settings IT Plan Unsupported Software Law Enforcement Value Windows 7 Encryption Avoiding Downtime Update Work/Life Balance Wi-Fi Data Storage Microsoft Office Information Employer-Employee Relationship Mobile Computing Compliance Apps Operating System Infrastructure App OneNote Sports Spam Blocking Managed Service Bring Your Own Device CES Holiday Networking Mobile IT Consultant Solid State Drive Recycling Multi-Factor Security Flash Windows 10s Telephony Authentication Google Docs Bandwidth Augmented Reality Theft Downtime Excel Staff Smart Office SaaS NIST HVAC Software as a Service Keyboard Physical Security Cache Flexibility IBM Entertainment Professional Services Telephone System Fraud Audit eWaste Trending Data loss Password Manager Nanotechnology Remote Worker Cortana Root Cause Analysis Tip of the week Digital Signature Botnet Cryptocurrency Risk Management Current Events Google Drive Practices Automation Wireless Charging webinar Wireless Internet Skype Supercomputer Charger Accountants Machine Learning Amazon Data Warehousing Sync Content Filtering Screen Mirroring Public Cloud Big Data Scam Wiring Google Apps Windows Server 2008 PDF Travel Safe Mode Telecommuting Knowledge Samsung Hosted Computing Government Electronic Medical Records Conferencing FENG HBO HIPAA USB Unified Threat Management Specifications Cast YouTube Office Tips Amazon Web Services Leadership Computer Fan Legal Information Technology Hiring/Firing Lifestyle Remote Work Network Congestion Business Mangement Devices Voice over Internet Protocol File Sharing Inventory Outlook Data Management Wire Start Menu Enterprise Content Management Millennials Marketing Cleaning Online Shopping The Internet of Things Software Tips Criminal Addiction Regulations HaaS Recovery Gmail Thought Leadership IT Support Meetings Patch Management Access Control MSP Netflix Frequently Asked Questions Human Resources Tools Password Management Workforce Computer Care Smart Tech Mobility Evernote Black Market Proactive IT Assessment Bata Backup Streaming Media Save Time Camera Analysis Electronic Health Records Managed Service Provider Insurance Instant Messaging Hacking Battery Television Content Filter Printers VoIP Proactive Thank You Public Computer Storage Loyalty Help Desk Education Quick Tips Safety Remote Monitoring and Maintenance Fiber-Optic Computer Accessories Congratulations Regulation Twitter Consultation GDPR Rootkit Students Windows 10 Business Owner Automobile Line of Business Cables Bluetooth IoT Company Culture Two Factor Authentication Employer Employee Relationship Vendor Management Business Technology E-Commerce Strategy Healthcare WiFi Worker Unified Communications Managing Stress Office Health

Latest News & Events

Alternative IT Solutions is proud to announce the launch of our new website at https://www.alternative-IT.co.uk. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our ser...

Contact Us

Learn more about what Alternative IT Solutions can do for your business.

Call Us Today
Call us today
(0)20 8498 4300

Avocet House, Trinity Park, Trinity Way
London, England E4 8TD