NIST Updates Password Guidance
New Threats Require New Approaches
NIST on Tuesday issued on a draft special publication, Guide to Enterprise Password Management, to build awareness of the rapidly evolving threats against passwords. NIST, in its guidance, advises agencies to consider employing several mitigation strategies, including secure storage and transmission of passwords, user awareness activities and secure password recovery and reset mechanisms.
The guide also is designed to raise awareness of the changing threats against passwords. According to NIST, most organizations' policies rely primarily on password strength an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.
But publication coauthor Karen Scarfone says strong passwords don't necessarily help because threats have changed. "Phishing attacks and other forms of social engineering trick users into revealing their passwords," Scarfone says in a statement accompanying release of the draft publication. "Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."
Scarfone says using effective password management as described in the guide will reduce the likelihood and impact of password compromises.
Among the guide's recommendations:
- Educate users about threats against passwords and how they should respond.
- Password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards for applications with high security requirements.
NIST requests comments on draft SP 800-118 by May 29. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.