Solved: Re: NIST Password Standard

apbanohit · ‎01-10-2020

How are organizations screening passwords to be fully compliant with the new NIST standard? A manual process will not work for my organization.

Thanks, Tom

CraginS · ‎01-10-2020

@apbanohit wrote:
How are organizations screening passwords to be fully compliant with the new NIST standard? A manual process will not work for my organization.
Thanks, Tom

Tom,

You should not be screening existing passwords. The password polices must first be rewritten to move away from the timed renewal, complexity, and length standards to match the current NIST SP 800-63-3. Once you have clear guidance in hand, the sysadmins responsible for the IDAM software must change the existing settings on your password registration software to apply the new policies as each user creates a new password.

The only person applying manual password compliance process to actual passwords should be the user creating the password. If you are not currently using a password approval module in your IDAM software, essentially making compliance with current password policy the responsibility of the end user, then you should continue that simple process, simply telling al users what the new policy is so they can update with better passwords when they wish.

Oh, and make darn sure you update the password registration database to allow for very long passwords that allow at a minimum all keyboard-accessible characters, including spaces and all symbols. Move away from the rules not allowing key script characters as an unnecessary protection against *ix script insertion.

Good luck!

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

Steve-Wilme · ‎01-10-2020

We're not moving to the NIST standards, due to PCI DSS, which has old school style password complexity and aging requirements as part of the mandated compliance. Instead we're simply encouraging users to select longer passwords when they expire. Once we get to a position of having significantly reduced sign on, we'll be able to revisit.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

apbanohit · ‎01-10-2020

Thanks Craig. I do understand all of the information you have kindly provided. I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom

CraginS · ‎01-10-2020

@apbanohit wrote:
Thanks Craig. I do understand all of the information you have kindly provided. I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.
Thanks again,
Tom

Tom,

OK.. got it. Excellent to be considering that side of the challenge.

An easy way to do that is to add a function to the password registration validity check that matches the proposed password against a master list of very poor passwords (e.g. password, 123456, P@ssw0rd, etc.) and if there is a match have a standard screen that rejects that one telling the user,

"You have selected a very common short password often easily guessed by intruders. Please change to a longer multi word passphrase as described in the full guidance."

There are plenty of lists of common and easily compromised passwords you can use for this step.

Good luck,

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

AppDefects · ‎01-10-2020

@CraginS wrote:
Please change to a longer multi word passphrase as described in the full guidance."

Since implementing password phrases our organization has seen a spike in "post-it note" purchase requests. No kidding! To be secure some users are writing their passwords on the back to fool us. But we catch'em.

AppDefects · ‎01-10-2020

Remember password I do.

jimscard · ‎07-18-2020

If your organization would like to implement the new NIST Password recommendations, the need for PCI DSS compliance is not something standing in your way.

There is an FAQ on the PCI SSC Web Site covering this situation. As the SSC points out, entities are allowed to implement alternative controls other than those specified in the standard as long as the intent of the PCI DSS requirements is met.

The FAQ specifically mentions the NIST SP 800-63B alternative controls, and points out the importance of considering all of the recommendations as a complete set of controls, rather than looking at them in isolation.

Can organizations use alternative password management methods to meet PCI DSS Requirement 8?

To avoid the "post-it" problem, most organizations implementing the NIST guidance also provide the ability for users to manage those unique, strong passwords with an automated password manager that utilizes multi-factor authentication for access to the password wallet.

Jim Scardelis, M.S., CISSP, CISA, CEH, PCI Secure Software, Secure SLC, P2PE, P2PE Application & 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, CTT+
Any views or opinions contained in this communication are solely those of the author.

rdaniels · ‎08-12-2020

Does this also apply to privilege level Administrative Passwords?

jimscard · ‎08-12-2020

Hi,
Yes, the guidance applies to all user passwords, including those for administrators / elevated privilege users.

Jim Scardelis, M.S., CISSP, CISA, CEH, PCI Secure Software, Secure SLC, P2PE, P2PE Application & 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, CTT+
Any views or opinions contained in this communication are solely those of the author.