Login | Register 
Contact us today!
866-348-2602

Total Tech Care Blog

Total Tech Care has been serving Florida since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Font size: +
Subscribe to this blog post
Print

Understanding the New NIST Guidelines for Password Security

Total Tech Care Blog
0 Comments
Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Total Tech Care are here to help. Call us today at 866-348-2602 to have your password strategy assessed by the professionals.

Comic by XKCD.

Tweet
Tags:
Password Password Management NIST
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, 30 April 2025
If you'd like to register, please fill in the username, password and name fields.

Blog Categories

Blog Archive

Sign Up for Our Newsletter

  • First Name *
  • Last Name *

      Free Consultation

      Sign up today for a
      FREE Network Consultation

      How secure is your IT infrastructure?
      Let us evaluate it for free!

      Sign up Now!

      Free Consultation
       

      Tag Cloud

      Security Tip of the Week Technology Best Practices Business Computing Cloud Privacy Hackers Productivity Hosted Solutions Efficiency Software Business Google Network Security Microsoft Internet Email Malware Backup Workplace Tips Innovation Data User Tips Computer Mobile Devices Hardware IT Services Disaster Recovery Android VoIP communications Business Continuity IT Support Smartphones Communication Smartphone Miscellaneous Mobile Device Small Business Network Browser Productivity Collaboration Quick Tips Cybersecurity Business Management Users Managed IT Services Upgrade Windows Phishing Outsourced IT Ransomware Data Backup Windows 10 Office Server Save Money Data Recovery Cloud Computing Passwords Windows 10 Tech Term Saving Money Holiday Social Media Chrome Gadgets Virtualization Automation Managed IT Services Microsoft Office Managed Service Facebook Operating System Cybercrime Artificial Intelligence Computers BYOD Mobile Device Management Networking IT Support Internet of Things Hacking Health Wi-Fi Spam Office 365 Covid-19 Telephone Systems Managed Service Provider Information Technology Alert Information Remote Bandwidth Router BDR Social Engineering Mobility Employer-Employee Relationship Recovery Money Remote Monitoring Application Encryption Applications Data Breach App History Law Enforcement Big Data Human Resources Mobile Computing Password Apps Mobile Office Data Storage Patch Management Office Tips Training Government VPN Blockchain Private Cloud Paperless Office How To Managed IT Remote Computing IT solutions Voice over Internet Protocol HaaS Entertainment Website Budget Vulnerability Windows 7 Word Google Drive Servers Wireless Avoiding Downtime Gmail Data Security Settings Two-factor Authentication Flexibility Bring Your Own Device Marketing Data Management Work/Life Balance WiFi Mouse Infrastructure User Error Conferencing Meetings Vendor End of Support USB Education Physical Security Scam Managed Services Display Safety Data Protection Sports Risk Management HIPAA Hacker Redundancy Vendor Management Employee/Employer Relationship Keyboard RMM The Internet of Things Lithium-ion battery Telephone System Staff Software as a Service Firewall Save Time Machine Learning Virtual Reality Connectivity Remote Work Apple Cleaning Social Printer Bluetooth Battery Augmented Reality Managed Services Provider Shadow IT Fraud Legal Business Intelligence Wearable Technology Database Retail Remote Worker Hard Drives Internet Exlporer Worker Remote Workers Instant Messaging Audit IT Consultant IT Management Cryptocurrency Excel Robot Processor Humor Botnet Biometrics PDF IT Plan Virtual Desktop Hard Drive Comparison Proactive IT Unsupported Software CES DDoS Best Practice YouTube Charger Computing SharePoint Business Technology Black Market Content Management Access Control Compliance Computer Care OneNote Customer Service Virtual Assistant Current Events Document Management Telephony Environment Authentication Wireless Technology Samsung Digital Signage Solid State Drive Fax Server How to Downtime Virus Value Unified Threat Management Data storage Update Computer Accessories SaaS Procurement Automobile Spam Blocking Electronic Medical Records Workplace Strategy Net Neutrality Google Docs Network Congestion Help Desk Computing Infrastructure Hiring/Firing Identity Theft Going Green Printing eWaste Tip of the week MSP Tablets Reputation webinar Accountants Streaming Media Emergency Video Conferencing ROI Bitcoin Shortcuts Content Professional Services Microchip Entrepreneur Public Cloud Thought Leadership Tech Support Employer Employee Relationship Credit Cards Sales Laptop Assessment Password Manager Point of Sale Personal Cryptomining Techology Password Management Shortcut Windows Server 2008 Customers Multi-Factor Security Supply Chain Management Printer Server Monitoring Batteries Audiobook Tools Search Engine Cost Management Twitter NIST Touchpad Television Business Mangement Windows 8.1 Digitize Social Networking Windows Server 2008 R2 Smart Tech Trending Amazon Customer relationships Politics Advertising Addiction Public Computer Recycling Email Best Practices IT Assessment Running Cable Manufacturing Regulations Wiring Memory Practices Notifications Transportation Rootkit Amazon Web Services Computer Tips Managed IT Service Security Cameras Computer Fan Cache Safe Mode Criminal Virtual CIO OneDrive Biometric Security GDPR Relocation Workers Hosted Computing Benefits Peripheral Online Shopping Digital Security Cameras Using Data FENG Wireless Internet Video Games File Sharing Science IBM Consultant Copiers 5G Worker Commute Flash Camera Inventory Smart Technology Specifications Quick Tip Analytics Evernote Ergonomics Smartwatch Experience Wire Customer Relationship Management Scalability Software Tips Supercomputer Best Available Travel Development Distributed Denial of Service OLED Virtual Machine Business Owner Sync Printers Analyitcs Emails WIndows 7 Millennials PCI DSS NarrowBand Wireless Charging 2FA Fiber Optics Employee Programming Smart Office Search Messaging Cabling Hypervisor Virtual Private Network iPhone Netflix Two Factor Authentication Workforce Policy Cables Dark mode Trend Micro Antivirus Root Cause Analysis HBO Windows 8 Knowledge Music SMS Default App PowerPoint Saving Time Windows Media Player IT service Skype Project Management Files Nanotechnology User Telecommuting Procedure Chromecast Cortana dark theme Shopping Google Search Data loss Outlook Tablet Leadership Digital Signature Troubleshooting AI IT Infrastructure Domains Bing Start Menu Warranty Colocation Managing Stress Uninterrupted Power Supply FinTech Loyalty Google Apps Social Network Screen Mirroring HVAC Maintenance Frequently Asked Questions Monitor Analysis Books Cameras IaaS Investment Employee/Employer Relationships Mobile Administrator Bloatware Windows 10s Devices Employees Windows 365 ISP Cast Enterprise Content Management

      Top Blog

      Taking a Vacation From Your Technology While On Vacation Can Actually Make Things Worse
      The reasoning for this is simple: you want to make sure that operations are proceeding as intended, even if you’re not there. If you completely check out from the workplace every time you leave, you could return from your vacation to a complete and total disaster that may have been prevented with y...
      Read More
      QR-Code