Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Vendors approve of NIST password draft

From: "Dave Farber" <dave () farber net>
Date: Tue, 09 May 2017 18:27:48 +0000
---------- Forwarded message ---------
From: Richard Forno <rforno () infowarrior org>
Date: Tue, May 9, 2017 at 1:59 PM
Subject: Vendors approve of NIST password draft
To: Infowarrior List <infowarrior () attrition org>
Cc: Dave Farber <dave () farber net>


(x-posted)

Vendors approve of NIST password draft

Standards group recommends removing periodic password change requirements

 By Ryan Francis

Managing Editor, CSO | May 9, 2017 8:16 AM PT

A recently released draft of the National Institute of Standards and
Technology’s (NIST's) digital identity guidelines has met with approval by
vendors. The draft guidelines revise password security recommendations and
altering many of the standards and best practices security professionals
use when forming policies for their companies.

The new framework recommends, among other things:

        • Remove periodic password change requirements

There have been multiple studies that have shown requiring frequent
password changes to actually be counterproductive to good password
security, said Mike Wilson, founder of PasswordPing. NIST said this
guideline was suggested because passwords should be changed when a user
wants to change it or if there is indication of breach.

        • Drop the algorithmic complexity song and dance

No more arbitrary password complexity requirements needing mixtures of
upper case letters, symbols and numbers. Like frequent password changes,
it’s been shown repeatedly that these types of restrictions often result in
worse passwords, Wilson adds. NIST said If a user wants a password that is
just emojis they should be allowed.  It’s important to note the storage
requirements. Salting, hashing, MAC such that if a password file is
obtained by an adversary an offline attack is very difficult to complete.

        • Require screening of new passwords against lists of commonly used
or compromised passwords

One of the best ways to ratchet up the strength of users’ passwords is to
screen them against lists of dictionary passwords and known compromised
passwords, he said. NIST adds that dictionary words, user names, repetitive
or sequential patterns all should be rejected.

"All three of these recommendations are things we have been advising for
some time now and there are now password strength meters that screen for
compromised credentials, not just commonly used passwords,” Wilson said.
"While it wasn’t explicitly mentioned in the new NIST framework, we contend
that another important security practice is periodically checking your user
credentials against a list of known compromised credentials."

NIST’s Paul Grassi, one of the authors of the report, noted that many of
the above guidelines are now only strong suggestions and are not mandatory
yet. The public comment period closed on May 1 and now the draft goes
through an internal review process. It is expected to be completed by early
to mid summer.

“We look forward to a day in the near future when technology, culture, and
user preference allows these requirements to be more broadly accepted. That
said, we reviewed a lot of research in the space and determined that
composition and expiration did little for security, while absolutely
harming user experience. And bad user experience is a vulnerability in our
minds,” he said. “We need technology to support this (not all password
stores do), so we didn’t want to create requirements that agencies had no
chance of meeting due to tech limitations.”

< - >

http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170509142806:3D17A80A-34E5-11E7-B83A-DCA67A15C867
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: