Re: NIST SP 800-63B and Passwords

[Carlos S Lobato <clobato () NMSU EDU>]

Hello All,


I'm an Auditor and I would be in favor of this change if I would be shown this NIST publication.  I just cannot imagine 
an auditor that would not be in favor if properly explained the risks.


Carlos,
..............
Subject: Re: [SECURITY] NIST SP 800-63B and Passwords



We also shifted several years ago from 8 characters and lots of complexity to at least 15 characters. The only 
composition requirement now is that there has to be at least one letter, and they get to change once a year. Beyond 
that we talk about how length gives greater strength, and about remembering by using chunks (therefore "passphrases"). 
More than once I've shown the math to an auditor, who seemed to leave satisfied. Some departmental sysadmins have 
chosen to expire certain admin passwords more often, just to avoid having the conversation 😉.



Steve



===================

Steven Lovaas

Information Security Officer

Colorado State University

steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu>

970-297-3707

===================



________________________________

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Ken Connelly <ken.connelly () UNI EDU<mailto:ken.connelly () UNI EDU>>
Sent: Monday, July 31, 2017 6:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] NIST SP 800-63B and Passwords



Until your auditors catch up with the recommendations (I'm guessing that
will be 5-10 years if they're anything like ours), you'll have to
negotiate any relaxing with them.

For maybe 98% of our accounts here, i.e., normal end-user accounts with
little/no privs, we require minimum length of 15 and suggest multiple
categories of characters but don't actually require that and also
suggest that our users think "passphrase" rather than "password".  Those
passphrases expire after a year.  We went to this 2 or 3 years ago.
Prior to that, passwords were minimum 8, "complex" (3 of 4 categories),
and expired after 90 days.

- ken

On 7/31/17 7:11 PM, Miguel Hernandez wrote:
> Colleagues,
>
>
> A question about the latest version of NIST SP 800-63B (Authentication
> and Lifecycle Management) (https://doi.org/10.6028/NIST.SP.800-63b).
>
>
> Since its release in June, not a week has gone by without a handful of
> IT folks stopping by and asking when we are going to (1) disable all
> password complexity requirements and (2) stop requiring periodic
> password changes.
>
>
> As I’ve reviewed the NIST publication I note the two recommendations
> quoted below which has fueled the above questions:
>
>
> “Verifiers SHOULD NOT impose other composition rules (e.g., requiring
> mixtures of different character types or prohibiting consecutively
> repeated characters) for memorized secrets.”
>
>
> “Verifiers SHOULD NOT require memorized secrets to be changed
> arbitrarily (e.g., periodically).“
>
>
> So my question is: Do any of you have a sense of urgency to disable
> your password complexity checks and disable password expiration?  Is
> this something you plan to implement over time?  Will you create some
> relaxed version of your current password rules (for example, maybe
> require at least upper and lower case, and extend password expiration
> to 1 year).  Or will you just continue with business as usual and make
> no changes.
>
>
> The use of the word “SHOULD” is of course non-mandatory language and
> is only a recommendation.  There are some though who think these
> recommendations are actually requirements and must be implemented
> immediately.  I’d just like to get an idea of what my fellow higher-ed
> institutions are doing.
>
>
> eSig Logo
> Miguel Hernandez IV, Ph.D. CISSP, CISA
> Associate Vice Chancellor ITS
> Chief Information Security Officer
> 2411 West 14th Street, Tempe AZ 85281
> email | miguel.hernandez () domail maricopa edu<mailto:miguel.hernandez () domail maricopa edu>
> <mailto:miguel.hernandez () domail maricopa edu>
> website | https://www.maricopa.edu<https://www.maricopa.edu/> <https://www.maricopa.edu/>
>
> *Follow me on Twitter <https://twitter.com/mh4phd>.*
>
> This message contains information which may be confidential and/or
> privileged. If you are not the intended recipient of this message,
> please notify the sender, delete and do not use or disseminate this
> information.

--
- Ken
=================================================================
Ken Connelly                       Director, Information Security
Information Security Officer          University of Northern Iowa
email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!