cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Viewer II

Re: NIST new ruling on passwords

I see this as a first great step in the direction of "when security becomes too restrictive, it may cause worse or even more unsecure issues to arise".  For example, when requireing a individual to change a complex password  every 60-90 days (ex. must have 1 of each character type not to have more than two of the same....) it causes a situation where not only the person many time only replaces or adds the next characther (ex. Scott@1 to Scott@2 or Scott@12 then Scott @123) but many times will end up writing it down either in a file or a notebook somewhere.  Although many may encrypt the written password change somewhere, majority will not.

Newcomer II

Re: NIST new ruling on passwords

Just last week there was NIST Blog by Mike Garcia called "Easy Ways to build a Better P@$$w0rd": https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd.

 

I strongly agree with the concept of using associations that are unique to you. More importantly, if you have to use passphrases at all, it is more and more necessary to utilize Multi-factor Authentication, whereever possible.

 

The most challenging outcomes of the many breaches reported in the last fews years are:

1. easily guessed and short passwords

2. password reuse.

 

Troy Hunt wrote a great blog about this very issue here: https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-...

 

Once we focus in increased length of passphrases versus complexity and ensure there is no password reuse, credential stuffing goes away. When we increase the length and ensure uniqueness of passwords for each individual service we use, Password Managers become a necessity.

 

Aside from our social and personal spaces, when it comes to credential protections in the enterprise, Privileged Access Management conversations are becoming more and more prevalent overall.

Viewer II

Re: NIST new ruling on passwords

There is an interesting conversation in Bruce Schenier's Blog around the same topic . https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
Newcomer III

Re: NIST new ruling on passwords

As others have said, what really matters is when the auditors and QSAs update *their* checklists.  As long as businesses continue to get digned in audits for *not* expiring passwords every 90 days, they will continue to do so.

 

What do *I* think of NIST guidance?  I think it is fine, and a net positive for business in general.  I think they should be adopted ASAP, but they won't be adopted until the auditors buy in.

Newcomer II

Re: NIST new ruling on passwords

Looks like a good step forward and moving password expiry is particularly welcoming.

I wonder how difficult it will be for some organisations to change direction especially when years of advise and awareness training will have been contrary to this advice.
Newcomer II

Re: NIST new ruling on passwords

You have a point there.

Does anyone know of any organization who has already implemented these new password standards?

Viewer II

Re: NIST new ruling on passwords

I join those who applaud the update from NIST. Having said that, I am surprised they didn't increase the 8 character minimum, even for non-privileged/sensitive accounts. We will likely go with 15 character passphrases. We may also use the lack of an expiration as an incentive to adopt 2FA.

Viewer II

Re: NIST new ruling on passwords

As an auditor, all I can do is audit against my organizations password policy. Until my organization changes their policy all I can do is report that the policy does not line up wiht NIST. And until the regulators change their requiremnts, my organization's policy will stay exactly as it is...
Which brings me back to your point, when will we see changes from the various regulating bodies.

Newcomer I

Re: NIST new ruling on passwords

I would recommend you do an audit of your user passwords and then you should get a good idea if your password policy is actually working for you, regardless of NIST recommendations. My experience has shown me that changing passwords every 30 days whilst might feel secure just forces users to adopt common themes for passwords and write them down. This makes password guessing incredibly easy!

 

User education can work for some individuals however more often and not you are trying to change peoples habits which is a longer term problem, usually about 12 weeks of following a new pattern to adopt a new behaviour. 

 

In summary, moving to a longer period (no more than 90 days) is in most cases more secure however, I would suggest increase the minimum length as well backed up with strong user eductation to promote passphrases and lack of themes.

JJP
Newcomer I

Re: NIST new ruling on passwords

Yep, drop a custom api component in thsts got a blacklist of common passwords. Test pw stores for easilly cracked passwords (there are many good tools for this) and extend the life time of the pw cycle to break away from similar inerations of passwords. Teach pass phrase approaches and that special symbols and spaces really boost pw strength. Passwords managers, federated identity etc to make things easier and remember that identity is the new perimiter.