NIST and Password Rules

There’s a great Sophos column on the new password “rules” around NIST:

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
https://pages.nist.gov/800-63-3/sp800-63b.html

These rule changes include a lot of common sense frustration with passwords, they’ve stirred some excitement (no, really) and are bound to hit the desk of InfoSec managers and consultants.

Before end users and software developers go holding up NIST as some kind of rule book on passwords, it’s important to remember that NIST is not a set of rules, it’s a set of guidelines. Whether or not your organization chooses to apply these guidelines is up to your security governance.

The two big frustrations are on the way out:

  • Character classes or “composition rules”
  • Arbitrary password change requirements

However! there’s a lot more to password rules than common sense.

Consider:

  • Compliance programs (e.g., PCI, SOC2, ISO) — will changing your practices put you out of compliance?
  • Capabilities of your tools — do they support “common password” searches? do they support >64 chars? do they support unicode?
  • The nature of the secret — does routine password expiration make sense?
  • Does the vendor do hashing per NIST?

As with any change in public standards or guidelines, savvy technical users such as developers might get excited, cherry-picking parts of the standards which they would like to see imposed immediately. Internal policies can’t be developed this way, the issues around your organizations password policies need to be considered carefully and ideally these NIST notes added to your Infosec policy manuals for their annual review.

These NIST changes will inform other standards, they will inform infosec policies and similar practices will percolate down through customer requirements.

If you’re part of a software development shop, it is wise to ensure that the application teams get these kinds of features and requirements on their roadmaps. It can take a long time to support these capabilities.

But for now, keep your weird character classes and awkward passwords, until your tools and your complete infosec policies can catch up with the NIST guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *