Cure Solutions Blog

Cure Solutions has been serving the Burlington area since 1997, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

New Password Guidelines from NIST

New Password Guidelines from NIST

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

This has been common practice and a recommendation by Cure Solutions for the last 4-5 years.  Basically, the new guidelines recommend longer passphrases vs the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at Cure Solutions are here to help. Call us today at 319-753-CURE (2873) to have your password strategy assessed by the professionals.

To test your password today you visit https://howsecureismypassword.net/

Comic by XKCD.

Know Your Tech: Safe Mode
EHR and Other Technologies Moving Healthcare Forwa...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, 22 July 2018
If you'd like to register, please fill in the username, password and name fields.

Mobile? Grab this Article!

QR-Code dieser Seite

Recent Comments

The Strict Security Measures of Nuclear Power Plants Can Benefit Your Business Too
17 January 2017
In this way, excepting the goal to generate atomic artillery for reasons of state refuge, the main r...
The Top 3 Technologies for Serious Selfie Takers
12 January 2017
Oh my god! It’s very interesting blog indeed. The technology of selfie stick was also introduced by ...
Can Technology Cure Blindness? We’ll See!
12 January 2017
If you are asking for opinions then I will say that the technology will be able to sure blindness by...
Alert: New CryptoJoker Ransomware May Be the Worst Ransomware Yet
22 December 2016
I really wanted to know some useful information about the Ransomware. And i am happy now that i have...
Why You Shouldn’t Chuck Your E-Waste In the Garbage
22 December 2016
I really wanted to know about it because i was amazed that what people do with the e-waste materials...

Latest Blog Entry

Communication is pivotal to the success of your business, but it’s hard when you have a telephone system that seems like it was built for an age long past. A modern telephone system that utilizes the ...

Latest News

Contact Us

Learn more about what Cure Solutions can do for your business.

Call Us Today

Call us today319-753-CURE (2873)

610 N Main Street
Burlington, Iowa 52601