Ride the Lightning

NIST Digital Identity Guidelines Now Finalized

July 5, 2017

On June 22^nd, the finalized version of the NIST Digital Identity Guidelines were published and are available here. Though the guidelines apply to government agencies, they clearly reflect new thinking by NIST, particularly with regards to passwords, which is sure to be reflected in the NIST Cybersecurity Framework, draft version 1.1, which is in the process of being finalized. We expect the Framework, which serves as a cybersecurity guide to organizations of up to 500 people, to be finalized fairly soon.

NIST is phasing out the requirement of periodic password changes – which has been the foundation of password policies for many, many years. Other recommendations include using a length of a least eight characters or more and choosing a passphrase rather than a "password." Some applications and devices allow users to include spaces and even emojis, which users can now include when setting their passphrase. As always, it is recommended not to use dictionary words as these are easy to brute force computers to require screen-saver passwords and ensure that passwords are required after a reasonable period of inactivity. Newly included is checking all passwords against a database of known compromised passwords, which will of course eliminate all of the dreadfully easy passwords that users are so fond of employing.

In the world of cybersecurity, nothing is certain except change.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson