Educause Security Discussion mailing list archives

NIST SP 800-63B and Passwords

From: Miguel Hernandez <miguel.hernandez () DOMAIL MARICOPA EDU>
Date: Mon, 31 Jul 2017 17:11:52 -0700

Colleagues,

A question about the latest version of NIST SP 800-63B (Authentication and
Lifecycle Management) (https://doi.org/10.6028/NIST.SP.800-63b).

Since its release in June, not a week has gone by without a handful of IT
folks stopping by and asking when we are going to (1) disable all password
complexity requirements and (2) stop requiring periodic password changes.

As I’ve reviewed the NIST publication I note the two recommendations quoted
below which has fueled the above questions:

“Verifiers SHOULD NOT impose other composition rules (e.g., requiring
mixtures of different character types or prohibiting consecutively repeated
characters) for memorized secrets.”

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
(e.g., periodically).“

So my question is: Do any of you have a sense of urgency to disable your
password complexity checks and disable password expiration?  Is this
something you plan to implement over time?  Will you create some relaxed
version of your current password rules (for example, maybe require at least
upper and lower case, and extend password expiration to 1 year).  Or will
you just continue with business as usual and make no changes.

The use of the word “SHOULD” is of course non-mandatory language and is
only a recommendation.  There are some though who think these
recommendations are actually requirements and must be implemented
immediately.  I’d just like to get an idea of what my fellow higher-ed
institutions are doing.

[image: eSig Logo]
Miguel Hernandez IV, Ph.D. CISSP, CISA
Associate Vice Chancellor ITS
Chief Information Security Officer
2411 West 14th Street, Tempe AZ 85281
email | miguel.hernandez () domail maricopa edu
website | https://www.maricopa.edu
*Follow me on Twitter <https://twitter.com/mh4phd>.*

This message contains information which may be confidential and/or
privileged. If you are not the intended recipient of this message, please
notify the sender, delete and do not use or disseminate this information.

Current thread:

NIST SP 800-63B and Passwords Miguel Hernandez (Jul 31)
- Re: NIST SP 800-63B and Passwords Ken Connelly (Jul 31)
  - Re: NIST SP 800-63B and Passwords Lovaas,Steven (Jul 31)
- Re: NIST SP 800-63B and Passwords Laura Raderman (Aug 01)
- Re: NIST SP 800-63B and Passwords Flynn, Gary - flynngn (Aug 01)
- Re: NIST SP 800-63B and Passwords David Curry (Aug 01)
  - Re: NIST SP 800-63B and Passwords Steven Alexander (Aug 01)
    - Re: NIST SP 800-63B and Passwords Manjak, Martin (Aug 01)
    - Re: NIST SP 800-63B and Passwords Brad Judy (Aug 01)
    - Re: NIST SP 800-63B and Passwords Manjak, Martin (Aug 01)
    - Re: NIST SP 800-63B and Passwords Barton, Robert W. (Aug 01)

(Thread continues...)