Wednesday 23 November 2016

NIST – a new set of password policies and guidelines

I stumbled across this article on NIST’s new password guidance this morning, I was impressed. The rules contain a lot of common sense practices, but I also challenge everyday practices that are currently in use. The highlights for me are:

  1. Cease using SMS to deliver tokens: It is too easy for someone to intercept the codes.
  2. Death to knowledge based questions: Mothers maiden name? easily discovered. Favourite book as a child? this changes depending on the mood I’m in.

It looks like the official page has been changed to a “coming soon” style page whilst the process of formalising the rules progresses.

As usual, Hacker News has a thorough discussion and it raises some excellent points:

  1. Salting is going to be pain for the companies that use active directory.
  2. The guidelines conflict with PCI compliance.
  3. Theatre and security are so inter-twined it is hard to tell where one starts and the other stops.

If you’re reading this in the future then the new NIST passwords guidance may now be online.