Re: NIST SP 800-63B and Passwords

[Laura Raderman <lraderman () CMU EDU>]

Also keep in mind that there are some regulations (PCI comes to mind) which explicitly require changing passwords on a 
specified schedule.  Until the DSS is changed, you *might* get away with a compensating control, but then you have to 
explain the recommendations to your bank, who are likely non-technical.  We’ve separated out our “PCI” accounts so that 
only they are subject to the change requirement, all other accounts don’t require changing unless someone suspects 
compromise or sharing.

Laura


Laura Raderman
ISO Policy & Compliance Coordinator
Carnegie Mellon University
lraderman () cmu edu

> On Jul 31, 2017, at 8:11 PM, Miguel Hernandez <miguel.hernandez () DOMAIL MARICOPA EDU> wrote:
>
> Colleagues,
>
> A question about the latest version of NIST SP 800-63B (Authentication and Lifecycle Management) 
> (https://doi.org/10.6028/NIST.SP.800-63b).  
>
> Since its release in June, not a week has gone by without a handful of IT folks stopping by and asking when we are 
> going to (1) disable all password complexity requirements and (2) stop requiring periodic password changes.  
>
> As I’ve reviewed the NIST publication I note the two recommendations quoted below which has fueled the above 
> questions:
>
> “Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or 
> prohibiting consecutively repeated characters) for memorized secrets.”
>
> “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).“
>
> So my question is: Do any of you have a sense of urgency to disable your password complexity checks and disable 
> password expiration?  Is this something you plan to implement over time?  Will you create some relaxed version of 
> your current password rules (for example, maybe require at least upper and lower case, and extend password expiration 
> to 1 year).  Or will you just continue with business as usual and make no changes.  
>
> The use of the word “SHOULD” is of course non-mandatory language and is only a recommendation.  There are some though 
> who think these recommendations are actually requirements and must be implemented immediately.  I’d just like to get 
> an idea of what my fellow higher-ed institutions are doing.  
>
>       
> Miguel Hernandez IV, Ph.D. CISSP, CISA
> Associate Vice Chancellor ITS
> Chief Information Security Officer
> 2411 West 14th Street, Tempe AZ 85281
> email | miguel.hernandez () domail maricopa edu
> website | https://www.maricopa.edu
> Follow me on Twitter.
>
> This message contains information which may be confidential and/or privileged. If you are not the intended recipient 
> of this message, please notify the sender, delete and do not use or disseminate this information.