Tag Archives: it security

NIST’s recommended password policy evolves

12 Aug

As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.

Here is what the NIST says:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.

The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.

The NIST publication includes other related guidance, including a recommendation against routine password resetting.

NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)

Advertisements

The science of breach prevention and the art of breach response

21 Mar

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

BYOD policy – Charting a good path to higher ground

16 Jan

This is just a cross-post to a piece of mine that we’ve published  on the Hicks Morley website. Here’s a link and a teaser:

The desire to use personal mobile devices to undertake work has risen like the incoming tide. Employers must make a choice: turn the tide on the use of personal devices by re-enforcing an outright ban or chart a thoughtful path to higher “Bring Your Own Device” or “BYOD” ground. Employers that do neither will sink into the mire of unreasonable IT security risk. This FTR Now discusses the pros and cons of adopting policy that allows employees to use a personal mobile device for work and the aims of proper BYOD policy.