cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
apbanohit
Newcomer II

NIST Password Standard

How are organizations screening passwords to be fully compliant with the new NIST standard?  A manual process will not work for my organization.

Thanks, Tom

10 Replies
CraginS
Defender I


@apbanohit wrote:

How are organizations screening passwords to be fully compliant with the new NIST standard?  A manual process will not work for my organization.

Thanks, Tom


Tom,

You should not be screening existing passwords. The password polices must first be rewritten to move away from the timed renewal, complexity, and length standards to match the current NIST SP 800-63-3. Once you have clear guidance in hand, the sysadmins responsible for the IDAM software must change the existing settings on your password registration software to apply the new policies as each user creates a new password.

 

The only person applying manual password compliance process to actual passwords should be the user creating the password. If you are not currently using a password approval module in your IDAM software, essentially making compliance with current password policy the responsibility of the end user, then you should continue that simple process, simply telling al users what the new policy is so they can update with better passwords when they wish.

 

Oh, and make darn sure you update the password registration database to allow for very long passwords that allow at a minimum all keyboard-accessible characters, including spaces and all symbols. Move away from the rules not allowing key script characters as an unnecessary protection against *ix script insertion.

 

Good luck!

 

Craig

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Steve-Wilme
Advocate II

We're not moving to the NIST standards, due to PCI DSS, which has old school style password complexity and aging requirements as part of the mandated compliance.  Instead we're simply encouraging users to select longer passwords when they expire.  Once we get to a position of having significantly reduced sign on, we'll be able to revisit.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
apbanohit
Newcomer II

Thanks Craig.  I do understand all of the information you have kindly provided.  I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom

CraginS
Defender I


@apbanohit wrote:

Thanks Craig.  I do understand all of the information you have kindly provided.  I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom


Tom,

OK.. got it. Excellent to be considering that side of the challenge.

 

An easy way  to do that is to add a function to the password registration validity check that matches the proposed password against a master list of very poor passwords (e.g. password, 123456, P@ssw0rd, etc.) and if there is a match have a standard screen that rejects that one telling the user, 

"You have selected a very common short password often easily guessed by intruders. Please change to a longer multi word passphrase as described in the full guidance."

 

There are plenty of lists of common and easily compromised passwords you can use for this step.

 

Good luck,

 

Craig

 

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
AppDefects
Community Champion


@CraginS wrote:

Please change to a longer multi word passphrase as described in the full guidance."

Since implementing password phrases our organization has seen a spike in "post-it note" purchase requests. No kidding! To be secure some users are writing their passwords on the back to fool us. But we catch'em.

AppDefects
Community Champion

Remember password I do.Remember password I do.

jimscard
Newcomer III

If your organization would like to implement the new NIST Password recommendations, the need for PCI DSS compliance is not something standing in your way. 

 

There is an FAQ on the PCI SSC Web Site covering this situation. As the SSC points out, entities are allowed to implement alternative controls other than those specified in the standard as long as the intent of the PCI DSS requirements is met. 

 

The FAQ specifically mentions the NIST SP 800-63B alternative controls, and points out the importance of considering all of the recommendations as a complete set of controls, rather than looking at them in isolation.

 

Can organizations use alternative password management methods to meet PCI DSS Requirement 8?

 

To avoid the "post-it" problem, most organizations implementing the NIST guidance also provide the ability for users to manage those unique, strong passwords with an automated password manager that utilizes multi-factor authentication for access to the password wallet. 

Jim Scardelis, M.S., CISSP, CISA, CEH, PCI Secure Software, Secure SLC, P2PE, P2PE Application & 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, CTT+
Any views or opinions contained in this communication are solely those of the author.
rdaniels
Viewer III

Does this also apply to privilege level Administrative Passwords?

jimscard
Newcomer III

Hi,
Yes, the guidance applies to all user passwords, including those for administrators / elevated privilege users.
Jim Scardelis, M.S., CISSP, CISA, CEH, PCI Secure Software, Secure SLC, P2PE, P2PE Application & 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, CTT+
Any views or opinions contained in this communication are solely those of the author.