Tag: Password

Categories
Casserly Consulting Blog

Understanding the New NIST Guidelines for Password Security

nist_password_400.jpg

The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached and leaves a lot of what network administrators and software developers have implemented recently to be wrong Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.

NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing a uniform measurement standard. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.

A Look at SP 800-63B
The newest password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (seen in the comic strip below).

ib nist cartoon 1

As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.

In making these changes to password strategy, NIST is now considering the fact that many industry professionals knew: a password you can’t remember may be secure, but if it’s so secure that you have to rely on third-party software to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication was not mentioned in the final report but has come under scrutiny as it has contributed to multiple hacks in recent times.

The NIST also explicitly commands that network administrators be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.

If you are looking for more information about best password practices and data security, the IT experts at COMPANYNAME are here to help. Call us today at PHONENUMBER to have your password strategy assessed by the professionals.

Comic by XKCD.

Categories
Casserly Consulting Blog

Tip of the Week: A Secure 2018 Relies on Powerful Passwords

password_strength_400.jpg

Password security is one of the most important parts of using an online account. It seems that the average user runs into the paradox of password security by using either complex, hard-to-remember passwords, or simple and less-secure passwords that put their accounts at risk. Even if the user is aware of the benefits that come from using a secure password, chances are that they will sideline security in favor of ease of access.

According to a list of the worst passwords in 2017 compiled by Splashdata, some of the worst passwords included “password” and “123456.” These two have topped the list since at least 2010, when Splashdata made their debut survey. Other passwords included in the top five include “12345678,” “qwerty,” and “12345.” Even “starwars” made the list at #16. For further reference, you can view the list of the worst passwords in 2017 here .

Best practices for password security are relatively well-known, especially considering how many experts study this particular field. Here are some tips from the guidelines recommended by the United States Computer Emergency Readiness Team, or US-CERT. In fact, US-CERT was created by the Department of Homeland Security for the specific purpose of preserving online security against threats.

Some sites or applications force users to use these best practices when creating a password, so do yourself a favor and keep these in mind:

  1. Use different passwords on different systems and accounts.
  2. Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  3. Use a combination of capital and lowercase letters, numbers, and special characters.
  4. Don’t use words that can be found in any dictionary of any language.
  5. Develop mnemonics (or spoken memory tricks) such as passphrases for remembering complex passwords.
  6. Consider using a password manager program to keep track of your passwords.

COMPANYNAME is of the firm mind that you should never underestimate the importance of network security best practices–particularly password security. To learn more about how you can secure your business, reach out to us at PHONENUMBER.