cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Viewer II

Re: NIST new ruling on passwords

Not sure if the new password rules are going to be effective given the public community (personal accounts) such as online banking, online shopping, brokerage accounts, etc., for the most part, have no password expiration requirements, many cause the user to employ 3 out of 4 character types (upper, lower, number, special characters), most limit the use of all special characters.  But the problem as I see it is, the frustration of changing passwords that are significant complex.  I tend to use passwords (when the application permits) that look like my 2 year old granddaughter  was typing or my cat was walking across the keyboard.  In other words, ones that are so weird, the cracking tools would give up or bypass.  As a retired IT auditor, it was always my experience that clients will generally go along with the Best Practice if you can substantiate its use.  

G08
Viewer

Re: NIST new ruling on passwords

I welcome the new suggestions by NIST. However, in my view, the human element who made the computer and all other technologies is the strongest as well as the weakest link the cyber chain. If a person can hack complex passwords, he or she can devise programs or ways to hack pass phrases or longer passwords, its not that difficult. The most important threat to the information security is the human being who is either ignorant or unaware or negligent about information security. Major cyber crimes including data breaches have happened because of lack of responsible behaviour from our human element in one or the other way. So, it is worth while to consider how to deal with this human element such that the efforts that we put in improving cyber world is respected and considered as their own responsibility.

Regards,
Gargi Akolkar
B.Com., Chartered Accountant, PGDiploma in Cyber Security, Cyber Forensics, Cyber Laws and Cyber Crimes, Certification in Forensic Accounting and Fraud Investigation.
Viewer II

Re: NIST new ruling on passwords

Very interesting!!

The whole point is in educating the end user, Respect the complexity/aging won't HELP as we still see stolen pwd (brute force, rainbow tables....etc) I have seen examples where end users where lazy and adding a special character each time they were forced to change their pwd. Or the best, the least effort when chooing compliant pwd : "Abcdefg.".

 

Viewer II

Re: NIST new ruling on passwords

the 57 one is a famous actor, the password was tatters.

 

What I do is create a table of printable askii characters and toss that in +-=_@#$%^&;:,.<>~?!|"'*` with upper case, lower case, and 0-9 at which point, I can generate a password with any number of characters, turn off the special characters for sites that broken security, and I don't bother to remember any of the passwords, I simply generate the passwords and change them at random intervals. Which I can save as notes in the password tables.

 

Asking your users to change the password every so many days makes it boring. People get used to logging in with a certain password and when they have to change it, it causes problems trying to forget the old password and remember the new one. Which creates extra work for the IT team resetting the password and the people bothers other employees while locked out of their machine. We need a way to create a new password while allowing the old one to work until the person thinks they have the new one remembered and can lock in their new password as the only password that works for that account. But having people either carry a smart phone or a key generator is likely a good idea, or simply as others have said make sure that the physical security is good enough that they can use less secure passwords on site and more secure passwords to connect to off site resources.

Viewer II

Re: NIST new ruling on passwords

I am about to recommend this for our Shadow/Business-led Systems as part of their security measure. Corporate policy is use passphrase but there is still 90 days expiry and AD complex password.
Viewer II

Re: NIST new ruling on passwords

HITRUST has already adopted the new NIST guidance in CSF version 9.0.

Viewer II

Re: NIST new ruling on passwords

I am on board with the new NIST guidance.  I expect having some interesting conversations with our customers about these changes.  Many of them still have the older recommendations in their contracts.

Viewer

Re: NIST new ruling on passwords

This should not be seen as a ruling, its advice and not bad advice at that.  We must always remember though that security is not a blanket that fits all, it needs to be appropriate to the information we are protecting and our password approach must be flexible enough to provide the necessary protection.

 

Passwords have had their day though so we do need to provide users with a better and more secure authentication experience.

 

I prefer the advice coming from the UK with regards to this evolution - https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

 

This provides a good balance, we may reduce password security (by our old thinking) but what we must do is to counter that by putting more emphasis in our IT processes such as through increased or targeted monitoring.

Viewer II

Re: NIST new ruling on passwords

I am with you on this. I'm wondering if there is a mathematician here in the group who could show "aaaaaaaaaaaaaa" is more secure that "$(@^$)&%".

pop
Newcomer I

Re: NIST new ruling on passwords

I personally dislike the "this password has been used recently and cannot be used" rule.  This is close to the no more password expiration rules.