Re: NIST new ruling on passwords - Page 3

Wyrmsfire · ‎10-09-2017

As others have stated, the human behavior aspect of security is going to be a weak spot with passwords written on post it notes or stored in password managers that become compromised. Users that reuse their passwords across accounts is also a huge issue. Enabling and requiring 2FA on accounts should help alleviate the issue and cut down on account compromises. Another tried and true security measure is locking the account after a certain amount of failed login attempts.

TonyDS · ‎10-09-2017

In general I like the new ruling, but somthing about "No more expiration without reason" just doesnt feel right.

It shouldn't happen, but we know that users sometimes "share" accounts with each other and that occaisionlly, the leavers process misses an account.

Password expiration is at least a partial control for those events.

As many have stated, 2FA is probably the answer. I don't know why NIST have not mentioned it in the ruling.

pblacka · ‎10-09-2017

I do agree with the no expiry as this just encourages users to have a simple sequence they can remember , like incremental numbers.

Checking the passwords against a list of easily password list sounds like common sense in this day and age

brichards199 · ‎10-09-2017

Oh the irony....

I just created my account on here to comment on this post, and when creating my account I ran into this:

asredux · ‎10-09-2017

Long *passphrases* are better than shorter, "complex" passwords. MFA is better than no MFA. Et al... but none of these things are a panacea, and adoption takes time. In large enterprises, password policies are often the lowest common denominator of many authentication stores which are synch'ed for "ease of use" -- if one of them can only accept a maximum password of N characters, N will become the enterprise maximum password length. If one of them cannot accept spaces, then spaces will be eliminated from the set of valid characters. MFA is still subject to MitM attacks and trojans that can leverage an active session (bypassing the need to "hack" the MFA solution), as Bruce Schneier pointed out 12 years ago (search "two-factor authentication, too little, too late"). Never drink too deeply from your own Koolaid! But... are the NIST guidelines an improvement? Yes!

infosec711 · ‎10-10-2017

Password management is an increasingly burdensome task, for the average user and for enterprise level situations.

I think such frameworks and guidelines are a great starting point...

leroux · ‎10-10-2017

In January 2017, the French Data Protection Authority (CNIL) is adopting a recommendation on passwords to guarantee minimum security in this respect. It is also providing businesses and citizens alike with practical tools.

This recommendation is available

RJRHODES · ‎10-11-2017

I like many of the new recommendations. I've always been a big fan of making password policies user friendly and allowing longer passphrases and elimination of odd requirements. Non-expiring passwords in an interesting twist that I hadn't given much thought to. It seems to be in practice in many banking websites, so I'm curious to see if that continues to take off.

a3iodun · ‎10-11-2017

Good for NIST

ScottBaker · ‎10-11-2017

Interesting you mention the math about just repeating characters compared to the old "complex" rules @DHerrmann It made me recall the great foundation for that here: https://www.grc.com/haystack.htm

No more arbitrary password aging can't come soon enough in my mind!