cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ivanborgiey
Newcomer I

SSCP practice exam question.

I have a question regarding this matter. SSCP.JPG

 

Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it

8 Replies
denbesten
Community Champion

Check out § 5.1.1.2 ¶ 9.    "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)".  I know, I know... everyone's gut reaction is "that's stupid; why would anyone recommend that?".  Well, go read Appendix A of the very same document for the rationale.

JoePete
Advocate I


@ivanborgiey wrote:

Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it


Look at 10.2.1 Intermittent Events:


"Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

 

I think this gets overblown as "Don't change passwords." What NIST is saying is don't force users to change an effective password because, eventually, they will probably choose a bad one. This doesn't mean users, at their own choosing, shouldn't occasionally change their password. Or that security awareness training should discourage users from changing their passwords from time to time.

 

NIST suggests passwords should be checked against known breaches, and if a password matches one in such a breach, it should be changed. But if you are following other NIST recommendations (e.g., 32-bit unique salt on the passwords), the only time those passwords can effectively be checked is when the users set them. An "unbreakable password" 10 years ago is probably quite broken today. Users should still be changing passwords but it should be on their terms.

Lowveldrider
Newcomer I

I must agree with you!  To never let a password expire is not safe.  The default for Windows Server is even 90 days if I am not mistaken.  

PS.  On which platform did you do these tests?

dcontesti
Community Champion

For my two cents, THIS is a terrible question and should not be used.

 

My thinking, one should know about NIST, etc. but if I am in a local manufacturing environment in Ireland, I probably do not care about NIST nor does my employer.

 

(ISC)2 has always maintained they are vendor independent and I believe that this level of knowledge is getting too far down in the weeds and becoming US Gov't. specific.

 

d

 

denbesten
Community Champion


@Lowveldrider wrote:

...To never let a password expire is not safe.  ...


It is less about about good/bad; it is more about how big the bang for the buck.   Appendix A details how NIST compared the alternatives to arrive at its recommendation.

 

@dcontesti is (as usual) spot-on with her observation that "this level of knowledge detail is getting too far down in the weeds".  Practice exam writers seem to relish in testing ones ability to memorize trivia, ignoring the bigger message that expiration is not our only tool and that its effectiveness has been diminishing on it over time.

guerrdenn12
Viewer

 As of 2023, NIST has requested comments on their newest revision of 800-63 (Digital Identity Guidelines). And as recently as 2020, NIST revised their password guidelines to emphasize password length over complexity, salting and hashing stored passwords, MFA, and making it easier for users to adhere to password security policies. Additionally, organizations should not require their employees to reset their passwords more than once per year, and they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords. Finally, NIST has identified a number of threats to authentication security, including password security, that businesses and industry professionals should keep in mind.

denbesten
Community Champion


@guerrdenn12 wrote:

 Newest (draft) revision of 800-63...   reset their passwords more than once per year.


Could you help me find that in the draft?  Line 734 (page 14) of the draft continues to say "Verifiers SHALL NOT require users to periodically change memorized secrets."  No mention of "once per year".  Perhaps I am looking in the wrong place or there is a newer draft.

rubyedixon
Viewer

Recently i passed my SSCP exam. I got the SSCP practice test from p2pexams and it was useful for me. By practicing with this practice test i got familiar with format of the actual exam and types of questions. This familiarity reduced my anxiety and increased my confidence level. It helped me identify and overcome my weak areas. I got key exam knowledge that helped me in passing my exam. Many questions in the final test came from this practice material.