Contact us today!
866-348-2602

Total Tech Care Blog

Total Tech Care has been serving Florida since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding the New NIST Guidelines for Password Security

Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Total Tech Care are here to help. Call us today at 866-348-2602 to have your password strategy assessed by the professionals.

Comic by XKCD.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, 29 March 2024
If you'd like to register, please fill in the username, password and name fields.

Blog Archive

Sign Up for Our Newsletter

  • First Name *
  • Last Name *

      Free Consultation

      Sign up today for a
      FREE Network Consultation

      How secure is your IT infrastructure?
      Let us evaluate it for free!

      Sign up Now!

      Free Consultation
       

      Tag Cloud

      Security Tip of the Week Technology Best Practices Business Computing Cloud Privacy Hackers Productivity Hosted Solutions Software Efficiency Network Security Business Google Internet Microsoft Email Malware Backup Workplace Tips Innovation User Tips Data Computer Mobile Devices Hardware IT Services Android VoIP Disaster Recovery communications Communication IT Support Business Continuity Smartphones Miscellaneous Smartphone Mobile Device Browser Small Business Network Collaboration Productivity Cybersecurity Quick Tips Users Business Management Phishing Managed IT Services Windows Upgrade Outsourced IT Ransomware Data Backup Windows 10 Cloud Computing Office Data Recovery Server Save Money Passwords Windows 10 Chrome Virtualization Tech Term Social Media Saving Money Holiday Gadgets Microsoft Office Managed Service Automation Managed IT Services Facebook Computers Cybercrime Artificial Intelligence Operating System Hacking Health BYOD Mobile Device Management Internet of Things Networking IT Support Wi-Fi Information Telephone Systems Information Technology Remote Spam Alert Managed Service Provider Office 365 Covid-19 Mobility Recovery Employer-Employee Relationship Router BDR Bandwidth Social Engineering Money App History Encryption Applications Mobile Computing Human Resources Application Data Breach Law Enforcement Remote Monitoring Big Data Password Apps Office Tips Training Data Storage VPN Patch Management Government Remote Computing Private Cloud Mobile Office Managed IT Blockchain Paperless Office How To Wireless Infrastructure Voice over Internet Protocol Flexibility Marketing Gmail Google Drive Vulnerability WiFi Settings IT solutions Windows 7 Word Entertainment Website Budget Two-factor Authentication Avoiding Downtime Servers Mouse HaaS Data Security Bring Your Own Device Data Management Work/Life Balance Risk Management Connectivity Remote Work Hacker Employee/Employer Relationship End of Support The Internet of Things RMM Education Physical Security Lithium-ion battery Safety Conferencing HIPAA Sports Redundancy Scam Firewall Keyboard Data Protection USB Virtual Reality Apple Vendor Management Social User Error Save Time Meetings Vendor Managed Services Software as a Service Display Telephone System Staff Cleaning Machine Learning Update Biometrics Spam Blocking Electronic Medical Records Virtual Desktop Hard Drive Battery Google Docs Virus DDoS Hiring/Firing Identity Theft Shadow IT Unified Threat Management Legal SharePoint Computer Accessories Computing Internet Exlporer Augmented Reality Fraud Customer Service PDF Environment Business Intelligence Digital Signage Printer Remote Worker Audit Worker Bluetooth Fax Server Proactive IT IT Management Cryptocurrency Best Practice Botnet SaaS YouTube Black Market IT Plan Procurement Comparison Net Neutrality Workplace Strategy IT Consultant Network Congestion Help Desk Unsupported Software CES Printing eWaste Document Management Wireless Technology Charger Solid State Drive Humor How to Downtime Business Technology Content Management Access Control Compliance OneNote Computer Care Managed Services Provider Data storage Virtual Assistant Current Events Authentication Wearable Technology Automobile Database Telephony Hard Drives Samsung Retail Instant Messaging Remote Workers Robot Computing Infrastructure Excel Going Green Value Processor Troubleshooting Security Cameras Reputation Streaming Media Outlook Computer Tips Leadership Digital Signature Managed IT Service OneDrive Content Biometric Security Tech Support Start Menu Warranty Virtual CIO Laptop Screen Mirroring HVAC Peripheral Loyalty Google Apps Techology Books Customers Frequently Asked Questions Digital Security Cameras Analysis Using Data Windows Media Player Windows 10s Devices Copiers Audiobook 5G User PowerPoint Science Mobile Administrator Touchpad Cast Enterprise Content Management Quick Tip Emergency Smartwatch Tip of the week MSP Ergonomics webinar Accountants Professional Services Microchip Public Cloud Thought Leadership Development Distributed Denial of Service Politics Employer Employee Relationship Credit Cards OLED Managing Stress Customer Relationship Management Advertising Analyitcs Password Management PCI DSS Assessment Password Manager Virtual Machine Fiber Optics Multi-Factor Security Employee Programming Cameras Notifications Windows Server 2008 2FA Tools Search Engine Twitter Messaging Cabling NIST Policy Television Business Mangement Hypervisor Smart Tech Trend Micro Antivirus Trending Relocation Dark mode Addiction SMS Amazon Default App Windows 8 Procedure Public Computer Recycling Saving Time IT service Video Games Practices Shopping Worker Commute Transportation Google Search Printer Server Regulations Wiring dark theme Computer Fan Cache AI Experience Rootkit Amazon Web Services IT Infrastructure Tablet Domains Scalability Bing Safe Mode FinTech Criminal Workers Hosted Computing Social Network Business Owner Benefits GDPR NarrowBand FENG Wireless Internet IaaS Online Shopping Investment Maintenance Search Bloatware File Sharing Employees IBM Employee/Employer Relationships Inventory Smart Technology Specifications ISP iPhone Flash Camera Windows 365 Tablets Wire Video Conferencing Evernote ROI Travel Shortcuts Entrepreneur Software Tips Sales Supercomputer Bitcoin Emails Personal Millennials Cryptomining Files Sync Printers Point of Sale Chromecast Smart Office Supply Chain Management Wireless Charging Shortcut Consultant Cost Management Monitoring Batteries Netflix Digitize Two Factor Authentication Workforce Social Networking Colocation Analytics Uninterrupted Power Supply Virtual Private Network Windows 8.1 Root Cause Analysis Cables Windows Server 2008 R2 Music Best Available Monitor HBO Customer relationships Knowledge Nanotechnology IT Assessment Running Cable Telecommuting Manufacturing WIndows 7 Skype Project Management Email Best Practices Memory Data loss Cortana

      Top Blog

      The reasoning for this is simple: you want to make sure that operations are proceeding as intended, even if you’re not there. If you completely check out from the workplace every time you leave, you could return from your vacation to a complete and total disaster that may have been prevented with y...
      QR-Code