Interesting People mailing list archives
Vendors approve of NIST password draft
From: "Dave Farber" <dave () farber net>
Date: Tue, 09 May 2017 18:27:48 +0000
---------- Forwarded message --------- From: Richard Forno <rforno () infowarrior org> Date: Tue, May 9, 2017 at 1:59 PM Subject: Vendors approve of NIST password draft To: Infowarrior List <infowarrior () attrition org> Cc: Dave Farber <dave () farber net> (x-posted) Vendors approve of NIST password draft Standards group recommends removing periodic password change requirements By Ryan Francis Managing Editor, CSO | May 9, 2017 8:16 AM PT A recently released draft of the National Institute of Standards and Technology’s (NIST's) digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: • Remove periodic password change requirements There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach. • Drop the algorithmic complexity song and dance No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords, Wilson adds. NIST said If a user wants a password that is just emojis they should be allowed. It’s important to note the storage requirements. Salting, hashing, MAC such that if a password file is obtained by an adversary an offline attack is very difficult to complete. • Require screening of new passwords against lists of commonly used or compromised passwords One of the best ways to ratchet up the strength of users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords, he said. NIST adds that dictionary words, user names, repetitive or sequential patterns all should be rejected. "All three of these recommendations are things we have been advising for some time now and there are now password strength meters that screen for compromised credentials, not just commonly used passwords,” Wilson said. "While it wasn’t explicitly mentioned in the new NIST framework, we contend that another important security practice is periodically checking your user credentials against a list of known compromised credentials." NIST’s Paul Grassi, one of the authors of the report, noted that many of the above guidelines are now only strong suggestions and are not mandatory yet. The public comment period closed on May 1 and now the draft goes through an internal review process. It is expected to be completed by early to mid summer. “We look forward to a day in the near future when technology, culture, and user preference allows these requirements to be more broadly accepted. That said, we reviewed a lot of research in the space and determined that composition and expiration did little for security, while absolutely harming user experience. And bad user experience is a vulnerability in our minds,” he said. “We need technology to support this (not all password stores do), so we didn’t want to create requirements that agencies had no chance of meeting due to tech limitations.” < - > http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170509142806:3D17A80A-34E5-11E7-B83A-DCA67A15C867 Powered by Listbox: http://www.listbox.com
Current thread:
- Vendors approve of NIST password draft Dave Farber (May 09)