cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer II

NIST Password Standard

How are organizations screening passwords to be fully compliant with the new NIST standard?  A manual process will not work for my organization.

Thanks, Tom

7 Replies
Highlighted
Community Champion

Re: NIST Password Standard


@apbanohit wrote:

How are organizations screening passwords to be fully compliant with the new NIST standard?  A manual process will not work for my organization.

Thanks, Tom


Tom,

You should not be screening existing passwords. The password polices must first be rewritten to move away from the timed renewal, complexity, and length standards to match the current NIST SP 800-63-3. Once you have clear guidance in hand, the sysadmins responsible for the IDAM software must change the existing settings on your password registration software to apply the new policies as each user creates a new password.

 

The only person applying manual password compliance process to actual passwords should be the user creating the password. If you are not currently using a password approval module in your IDAM software, essentially making compliance with current password policy the responsibility of the end user, then you should continue that simple process, simply telling al users what the new policy is so they can update with better passwords when they wish.

 

Oh, and make darn sure you update the password registration database to allow for very long passwords that allow at a minimum all keyboard-accessible characters, including spaces and all symbols. Move away from the rules not allowing key script characters as an unnecessary protection against *ix script insertion.

 

Good luck!

 

Craig

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Advocate I

Re: NIST Password Standard

We're not moving to the NIST standards, due to PCI DSS, which has old school style password complexity and aging requirements as part of the mandated compliance.  Instead we're simply encouraging users to select longer passwords when they expire.  Once we get to a position of having significantly reduced sign on, we'll be able to revisit.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Highlighted
Newcomer II

Re: NIST Password Standard

Thanks Craig.  I do understand all of the information you have kindly provided.  I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom

Highlighted
Community Champion

Re: NIST Password Standard


@apbanohit wrote:

Thanks Craig.  I do understand all of the information you have kindly provided.  I am looking for specific advice for screening the newly created passwords to prevent extremely simple passwords from being used for even a short period of time.

Thanks again,

Tom


Tom,

OK.. got it. Excellent to be considering that side of the challenge.

 

An easy way  to do that is to add a function to the password registration validity check that matches the proposed password against a master list of very poor passwords (e.g. password, 123456, P@ssw0rd, etc.) and if there is a match have a standard screen that rejects that one telling the user, 

"You have selected a very common short password often easily guessed by intruders. Please change to a longer multi word passphrase as described in the full guidance."

 

There are plenty of lists of common and easily compromised passwords you can use for this step.

 

Good luck,

 

Craig

 

 

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: NIST Password Standard


@CraginS wrote:

Please change to a longer multi word passphrase as described in the full guidance."

Since implementing password phrases our organization has seen a spike in "post-it note" purchase requests. No kidding! To be secure some users are writing their passwords on the back to fool us. But we catch'em.

Highlighted
Community Champion

Re: NIST Password Standard

Remember password I do.Remember password I do.

Highlighted
Newcomer III

Re: NIST Password Standard

If your organization would like to implement the new NIST Password recommendations, the need for PCI DSS compliance is not something standing in your way. 

 

There is an FAQ on the PCI SSC Web Site covering this situation. As the SSC points out, entities are allowed to implement alternative controls other than those specified in the standard as long as the intent of the PCI DSS requirements is met. 

 

The FAQ specifically mentions the NIST SP 800-63B alternative controls, and points out the importance of considering all of the recommendations as a complete set of controls, rather than looking at them in isolation.

 

Can organizations use alternative password management methods to meet PCI DSS Requirement 8?

 

To avoid the "post-it" problem, most organizations implementing the NIST guidance also provide the ability for users to manage those unique, strong passwords with an automated password manager that utilizes multi-factor authentication for access to the password wallet. 

Jim Scardelis, CISA, CISSP, PA-QSA(P2PE), QSA (P2PE) PCI 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, MCSE

Any views or opinions contained in this communication are solely those of the author, and do not necessarily represent those of any organizations or entities the author may be associated with.