Login | Register 
Contact us today!
866-348-2602

Total Tech Care Blog

Total Tech Care has been serving Florida since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Font size: +
Subscribe to this blog post
Print

Understanding the New NIST Guidelines for Password Security

Total Tech Care Blog
0 Comments
Understanding the New NIST Guidelines for Password Security

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Total Tech Care are here to help. Call us today at 866-348-2602 to have your password strategy assessed by the professionals.

Comic by XKCD.

Tweet
Tags:
Password Password Management NIST
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, 28 February 2025
If you'd like to register, please fill in the username, password and name fields.

Blog Categories

Blog Archive

Sign Up for Our Newsletter

  • First Name *
  • Last Name *

      Free Consultation

      Sign up today for a
      FREE Network Consultation

      How secure is your IT infrastructure?
      Let us evaluate it for free!

      Sign up Now!

      Free Consultation
       

      Tag Cloud

      Security Tip of the Week Technology Best Practices Business Computing Cloud Privacy Hackers Productivity Hosted Solutions Software Efficiency Network Security Business Google Microsoft Internet Email Malware Backup Workplace Tips Innovation User Tips Data Computer Mobile Devices Hardware IT Services Disaster Recovery Android VoIP communications Communication Business Continuity IT Support Smartphones Miscellaneous Smartphone Mobile Device Browser Small Business Network Collaboration Productivity Quick Tips Cybersecurity Users Business Management Phishing Windows Upgrade Managed IT Services Outsourced IT Ransomware Data Backup Windows 10 Office Cloud Computing Data Recovery Server Save Money Windows 10 Passwords Virtualization Social Media Saving Money Holiday Gadgets Chrome Tech Term Automation Managed IT Services Managed Service Microsoft Office Facebook Computers Cybercrime Artificial Intelligence Operating System BYOD Health Mobile Device Management Internet of Things Networking IT Support Wi-Fi Hacking Remote Information Technology Covid-19 Alert Information Spam Managed Service Provider Office 365 Telephone Systems Router Recovery Employer-Employee Relationship BDR Bandwidth Social Engineering Mobility App History Encryption Applications Mobile Computing Application Human Resources Law Enforcement Remote Monitoring Big Data Password Data Breach Money Office Tips Training VPN How To Government Blockchain Remote Computing Private Cloud Paperless Office Data Storage Patch Management Mobile Office Managed IT Apps Wireless Flexibility Marketing Data Security Google Drive Gmail WiFi IT solutions Settings Entertainment Website Budget Avoiding Downtime Two-factor Authentication Mouse Vulnerability HaaS Windows 7 Word Bring Your Own Device Data Management Work/Life Balance Infrastructure Servers Voice over Internet Protocol End of Support Education Physical Security The Internet of Things Safety Lithium-ion battery Data Protection Sports HIPAA Redundancy Keyboard Vendor Firewall USB Managed Services Display Virtual Reality Apple Telephone System Staff Social Employee/Employer Relationship Software as a Service Conferencing Save Time Machine Learning RMM Scam User Error Remote Work Connectivity Meetings Cleaning Vendor Management Risk Management Hacker Fraud Shadow IT Charger Procurement Legal Unified Threat Management Computer Accessories Compliance Workplace Strategy Remote Worker DDoS Net Neutrality OneNote Internet Exlporer Computer Care Cryptocurrency SharePoint Help Desk Current Events Printing Telephony PDF Samsung Comparison Printer Customer Service Managed Services Provider Bluetooth Environment Proactive IT Value CES Spam Blocking Best Practice Electronic Medical Records Fax Server Database YouTube Business Technology Remote Workers Content Management Black Market Hiring/Firing SaaS Access Control Processor IT Consultant Virtual Assistant Document Management Authentication Network Congestion Hard Drive Solid State Drive Wireless Technology Humor eWaste How to Downtime Business Intelligence Computing Data storage Update Audit Worker Automobile IT Management Wearable Technology Google Docs Botnet Retail Computing Infrastructure Identity Theft Hard Drives IT Plan Instant Messaging Going Green Excel Robot Digital Signage Unsupported Software Biometrics Virus Augmented Reality Battery Virtual Desktop IT Infrastructure User PowerPoint Windows Media Player Search Engine AI Audiobook Twitter FinTech NIST Business Mangement Software Tips Bing Touchpad Supercomputer Emails Science Social Network Smart Tech Sync Trending Addiction Investment Advertising Amazon Managing Stress Politics Employees Employee/Employer Relationships Recycling Netflix Notifications Cameras Two Factor Authentication Windows 365 Wiring Distributed Denial of Service Practices Customer Relationship Management ISP Cache ROI Amazon Web Services Root Cause Analysis Analyitcs Video Conferencing Music Sales Safe Mode Bitcoin Criminal HBO Programming Shortcuts Knowledge Point of Sale GDPR Personal Hosted Computing Skype Cryptomining Relocation Wireless Internet Online Shopping Data loss Supply Chain Management Troubleshooting Monitoring File Sharing Antivirus Batteries Video Games Outlook Leadership Specifications Windows 8 Printer Server Windows 8.1 Camera Digitize Worker Commute Inventory Start Menu Experience Wire IT service Windows Server 2008 R2 Evernote Screen Mirroring Loyalty Books Customer relationships Scalability Frequently Asked Questions Travel Millennials Windows 10s Tablet Email Best Practices Printers IT Assessment Business Owner Mobile Manufacturing Smart Office Domains Wireless Charging Cast NarrowBand Emergency Computer Tips Managed IT Service Search Tip of the week Security Cameras webinar Biometric Security iPhone Workforce Public Cloud Employer Employee Relationship Virtual CIO Virtual Private Network IaaS OneDrive Professional Services Maintenance Peripheral Cables Bloatware Assessment Digital Security Cameras Using Data Windows Server 2008 Tools 5G Files Telecommuting Tablets Project Management Copiers Nanotechnology Quick Tip Cortana Entrepreneur Chromecast Television Ergonomics Digital Signature Smartwatch Consultant Shortcut OLED Colocation Uninterrupted Power Supply Analytics Warranty Development PCI DSS HVAC Virtual Machine Google Apps Cost Management Public Computer Transportation 2FA Fiber Optics Analysis Regulations Social Networking Employee Monitor Best Available Cabling WIndows 7 Computer Fan Rootkit Administrator Messaging Devices Policy Enterprise Content Management Hypervisor Workers Streaming Media Benefits Dark mode MSP Running Cable Trend Micro Accountants Reputation Default App Credit Cards FENG Memory Tech Support Microchip SMS Content Thought Leadership Procedure Password Management Saving Time Techology Password Manager Laptop IBM Smart Technology dark theme Shopping Flash Google Search Customers Multi-Factor Security

      Top Blog

      Taking a Vacation From Your Technology While On Vacation Can Actually Make Things Worse
      The reasoning for this is simple: you want to make sure that operations are proceeding as intended, even if you’re not there. If you completely check out from the workplace every time you leave, you could return from your vacation to a complete and total disaster that may have been prevented with y...
      Read More
      QR-Code