TRENDING:

NIST Updates Password Guidance

New Threats Require New Approaches Eric Chabrow (GovInfoSecurity) • April 21, 2009    
NIST Updates Password Guidance
New guidance on enterprise password management from the National Institute of Standards and Technology is aimed at helping federal government agencies mitigate common threats against character-based passwords.

NIST on Tuesday issued on a draft special publication, Guide to Enterprise Password Management, to build awareness of the rapidly evolving threats against passwords. NIST, in its guidance, advises agencies to consider employing several mitigation strategies, including secure storage and transmission of passwords, user awareness activities and secure password recovery and reset mechanisms.

The guide also is designed to raise awareness of the changing threats against passwords. According to NIST, most organizations' policies rely primarily on password strength an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.

But publication coauthor Karen Scarfone says strong passwords don't necessarily help because threats have changed. "Phishing attacks and other forms of social engineering trick users into revealing their passwords," Scarfone says in a statement accompanying release of the draft publication. "Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."

Scarfone says using effective password management as described in the guide will reduce the likelihood and impact of password compromises.

Among the guide's recommendations:

  • Educate users about threats against passwords and how they should respond.
  • Password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards for applications with high security requirements.

NIST requests comments on draft SP 800-118 by May 29. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Previous
If We Are Not a Team, We Lose
Next
Getting the Cybersecurity Organization Right

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Why Banks Find It Hard to Tackle Authorized Fraud
Why Banks Find It Hard to Tackle Authorized Fraud
Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
Healthcare CISO Group Focuses on Third-Party Risk Challenges
Healthcare CISO Group Focuses on Third-Party Risk Challenges
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
How Cyberattacks Affect CISOs
How Cyberattacks Affect CISOs
Securing the SaaS Layer
Securing the SaaS Layer
Why Is Meta Choosing to Settle Over Cambridge Analytica?
Why Is Meta Choosing to Settle Over Cambridge Analytica?

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.