topic NIST Password Standard in Tech Talk

NIST Password Standard

apbanohit — Fri, 10 Jan 2020 13:27:29 GMT

How are organizations screening passwords to be fully compliant with the new NIST standard? A manual process will not work for my organization.

Thanks, Tom

Re: NIST Password Standard

CraginS — Fri, 10 Jan 2020 13:47:38 GMT

@apbanohit wrote:
How are organizations screening passwords to be fully compliant with the new NIST standard? A manual process will not work for my organization.
Thanks, Tom

Tom,

You should not be screening existing passwords. The password polices must first be rewritten to move away from the timed renewal, complexity, and length standards to match the current NIST SP 800-63-3. Once you have clear guidance in hand, the sysadmins responsible for the IDAM software must change the existing settings on your password registration software to apply the new policies as each user creates a new password.

The only person applying manual password compliance process to actual passwords should be the user creating the password. If you are not currently using a password approval module in your IDAM software, essentially making compliance with current password policy the responsibility of the end user, then you should continue that simple process, simply telling al users what the new policy is so they can update with better passwords when they wish.

Oh, and make darn sure you update the password registration database to allow for very long passwords that allow at a minimum all keyboard-accessible characters, including spaces and all symbols. Move away from the rules not allowing key script characters as an unnecessary protection against *ix script insertion.

Good luck!

Craig

Re: NIST Password Standard

Steve-Wilme — Fri, 10 Jan 2020 15:00:12 GMT

We're not moving to the NIST standards, due to PCI DSS, which has old school style password complexity and aging requirements as part of the mandated compliance. Instead we're simply encouraging users to select longer passwords when they expire. Once we get to a position of having significantly reduced sign on, we'll be able to revisit.

Re: NIST Password Standard

apbanohit — Fri, 10 Jan 2020 16:38:16 GMT

Thanks Craig. I do understand all of the information you have kindly provided. I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom

Re: NIST Password Standard

CraginS — Fri, 10 Jan 2020 17:47:21 GMT

@apbanohit wrote:
Thanks Craig. I do understand all of the information you have kindly provided. I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.
Thanks again,
Tom

Tom,

OK.. got it. Excellent to be considering that side of the challenge.

An easy way to do that is to add a function to the password registration validity check that matches the proposed password against a master list of very poor passwords (e.g. password, 123456, P@ssw0rd, etc.) and if there is a match have a standard screen that rejects that one telling the user,

"You have selected a very common short password often easily guessed by intruders. Please change to a longer multi word passphrase as described in the full guidance."

There are plenty of lists of common and easily compromised passwords you can use for this step.

Good luck,

Craig

Re: NIST Password Standard

AppDefects — Sat, 11 Jan 2020 03:52:10 GMT

@CraginS wrote:
Please change to a longer multi word passphrase as described in the full guidance."

Since implementing password phrases our organization has seen a spike in "post-it note" purchase requests. No kidding! To be secure some users are writing their passwords on the back to fool us. But we catch'em.

Re: NIST Password Standard

AppDefects — Sat, 11 Jan 2020 03:57:09 GMT

Remember password I do.

Re: NIST Password Standard

jimscard — Sun, 19 Jul 2020 00:39:44 GMT

If your organization would like to implement the new NIST Password recommendations, the need for PCI DSS compliance is not something standing in your way.

There is an FAQ on the PCI SSC Web Site covering this situation. As the SSC points out, entities are allowed to implement alternative controls other than those specified in the standard as long as the intent of the PCI DSS requirements is met.

The FAQ specifically mentions the NIST SP 800-63B alternative controls, and points out the importance of considering all of the recommendations as a complete set of controls, rather than looking at them in isolation.

Can organizations use alternative password management methods to meet PCI DSS Requirement 8?

To avoid the "post-it" problem, most organizations implementing the NIST guidance also provide the ability for users to manage those unique, strong passwords with an automated password manager that utilizes multi-factor authentication for access to the password wallet.

Re: NIST Password Standard

rdaniels — Wed, 12 Aug 2020 23:02:38 GMT

Does this also apply to privilege level Administrative Passwords?

Re: NIST Password Standard

jimscard — Wed, 12 Aug 2020 23:33:07 GMT

Hi,
Yes, the guidance applies to all user passwords, including those for administrators / elevated privilege users.

Re: NIST Password Standard

mtissink — Fri, 28 Aug 2020 08:50:53 GMT

Every countermeasure has it's own flaws and new vulnerabilities