Login | Register 
Contact us today!
866-348-2602

Total Tech Care Blog

Total Tech Care has been serving Florida since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Font size: +
Subscribe to this blog post
Print

Understanding the New NIST Guidelines for Password Security

Total Tech Care Blog
0 Comments
Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Total Tech Care are here to help. Call us today at 866-348-2602 to have your password strategy assessed by the professionals.

Comic by XKCD.

Tweet
Tags:
Password Password Management NIST
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, 02 April 2025
If you'd like to register, please fill in the username, password and name fields.

Blog Categories

Blog Archive

Sign Up for Our Newsletter

  • First Name *
  • Last Name *

      Free Consultation

      Sign up today for a
      FREE Network Consultation

      How secure is your IT infrastructure?
      Let us evaluate it for free!

      Sign up Now!

      Free Consultation
       

      Tag Cloud

      Security Tip of the Week Technology Best Practices Business Computing Cloud Privacy Hackers Productivity Hosted Solutions Efficiency Software Network Security Business Google Microsoft Internet Email Malware Backup Workplace Tips Innovation Data User Tips Computer Mobile Devices Hardware IT Services Disaster Recovery Android VoIP communications Business Continuity Smartphones IT Support Communication Smartphone Miscellaneous Mobile Device Small Business Network Browser Productivity Collaboration Cybersecurity Quick Tips Users Business Management Phishing Managed IT Services Upgrade Windows Outsourced IT Ransomware Data Backup Windows 10 Cloud Computing Office Server Save Money Data Recovery Passwords Windows 10 Tech Term Saving Money Holiday Social Media Gadgets Chrome Virtualization Automation Managed IT Services Microsoft Office Managed Service Computers Facebook Operating System Cybercrime Artificial Intelligence BYOD Mobile Device Management Networking IT Support Internet of Things Hacking Health Wi-Fi Spam Office 365 Remote Telephone Systems Information Technology Managed Service Provider Covid-19 Alert Information Bandwidth Router BDR Employer-Employee Relationship Recovery Social Engineering Mobility Remote Monitoring Mobile Computing Encryption Applications Application App History Data Breach Law Enforcement Big Data Human Resources Password Money Data Storage Patch Management Office Tips Training Government VPN Blockchain Private Cloud Paperless Office Managed IT Remote Computing How To Apps Mobile Office WiFi IT solutions Entertainment Website Budget Google Drive Vulnerability Windows 7 Word Wireless Avoiding Downtime Gmail Servers Settings Two-factor Authentication Data Security Bring Your Own Device Data Management Work/Life Balance Flexibility Mouse Infrastructure HaaS Marketing Voice over Internet Protocol User Error Meetings End of Support Education Physical Security USB Safety Data Protection Conferencing Sports Risk Management HIPAA Hacker Redundancy Scam Keyboard The Internet of Things Lithium-ion battery Vendor Vendor Management Managed Services Display Telephone System Staff Software as a Service Firewall Save Time Machine Learning Remote Work Employee/Employer Relationship Virtual Reality Connectivity Apple RMM Cleaning Social Battery Augmented Reality Shadow IT Printer Fraud Hiring/Firing Digital Signage Legal Bluetooth Wearable Technology Retail Remote Worker Hard Drives Internet Exlporer Instant Messaging Robot Cryptocurrency Excel Procurement Workplace Strategy Net Neutrality Biometrics PDF Virtual Desktop IT Consultant Business Intelligence Comparison Help Desk Proactive IT Audit Printing Worker IT Management Humor CES DDoS Best Practice Botnet YouTube SharePoint Business Technology Black Market IT Plan Content Management Managed Services Provider Access Control Database Customer Service Virtual Assistant Unsupported Software Remote Workers Document Management Environment Authentication Solid State Drive Wireless Technology Charger Processor Fax Server How to Downtime Compliance OneNote Computer Care Hard Drive Data storage Current Events Update SaaS Virus Automobile Telephony Samsung Unified Threat Management Google Docs Computer Accessories Identity Theft Computing Network Congestion Computing Infrastructure Going Green Value eWaste Spam Blocking Electronic Medical Records Techology Password Management Laptop Screen Mirroring Password Manager Messaging Loyalty Cabling Hypervisor Books Shortcut Customers Frequently Asked Questions Policy Multi-Factor Security Twitter Dark mode Windows 10s Trend Micro Audiobook Search Engine Cost Management Mobile Social Networking NIST Touchpad Cast Business Mangement SMS Default App Trending Saving Time Emergency Tip of the week Smart Tech Procedure webinar Addiction dark theme Public Cloud Printer Server Amazon Shopping Employer Employee Relationship Google Search Politics Advertising Professional Services Recycling AI Assessment Running Cable IT Infrastructure Bing Wiring Memory Windows Server 2008 Practices Notifications FinTech Tools Cache Amazon Web Services Social Network Safe Mode Criminal Television Investment Employee/Employer Relationships GDPR Relocation Hosted Computing Employees Wireless Internet Windows 365 Online Shopping ISP Video Games File Sharing Science Video Conferencing Public Computer ROI Specifications Bitcoin Transportation Shortcuts Worker Commute Camera Regulations Inventory Sales Wire Point of Sale Computer Fan Evernote Personal Rootkit Cryptomining Experience Customer Relationship Management Scalability Supply Chain Management Travel Distributed Denial of Service Workers Millennials Batteries Benefits Business Owner Printers Analyitcs Consultant Monitoring Smart Office NarrowBand Windows 8.1 FENG Analytics Wireless Charging Digitize Programming Search IBM Windows Server 2008 R2 Customer relationships Workforce Smart Technology Virtual Private Network iPhone Flash Best Available WIndows 7 Email Best Practices Cables IT Assessment Antivirus Manufacturing Windows 8 Software Tips Supercomputer Computer Tips Emails Telecommuting Managed IT Service IT service Security Cameras Project Management Files Sync Nanotechnology Chromecast Virtual CIO Cortana OneDrive Biometric Security Tablet Digital Signature Peripheral Uninterrupted Power Supply Digital Security Cameras Netflix Using Data Two Factor Authentication Domains Warranty Colocation User HVAC Root Cause Analysis PowerPoint Google Apps Copiers Windows Media Player 5G IaaS Music Maintenance Monitor HBO Analysis Quick Tip Knowledge Ergonomics Smartwatch Administrator Bloatware Skype Devices Managing Stress Enterprise Content Management Data loss Development OLED Virtual Machine Troubleshooting MSP Tablets Reputation Outlook Accountants Streaming Media PCI DSS Leadership Tech Support 2FA Cameras Credit Cards Fiber Optics Employee Content Microchip Entrepreneur Start Menu Thought Leadership

      Top Blog

      Taking a Vacation From Your Technology While On Vacation Can Actually Make Things Worse
      The reasoning for this is simple: you want to make sure that operations are proceeding as intended, even if you’re not there. If you completely check out from the workplace every time you leave, you could return from your vacation to a complete and total disaster that may have been prevented with y...
      Read More
      QR-Code