New NIST Guidelines for Organization-Wide Password Management
From NIST Tech Beat: April 21, 2009
When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity, explains computer scientist Karen Scarfone. Scarfone is co-author of new guidelines for agency-wide password management issued for public comment by the National Institute of Standards and Technology (NIST).
Designed for federal government agencies, the new Guide to Enterprise Password Management (NIST Special Publication 800-118) can be useful to industry as well to aid in understanding common threats against character-based passwords and how to mitigate those threats within the organization. The guide covers defining and implementing password policy, educating users and measuring the effectiveness of password policies.
Passwords are a key line of defense for an organization’s data security. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms. Topics addressed in the guide include defining password policy requirements and selecting centralized and local password management solutions.
One of the document’s key purposes is to assist organizations in understanding common threats against their character-based passwords and how to mitigate those threats. Agencies need to consider using several mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.
The guide also is designed to raise awareness of the changing threats against passwords. Most organizations’ password policies rely primarily on password strength—an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.
“Strong passwords don’t help as much any more because the threats have changed. Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords,” Scarfone said. Using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she explained. The guide recommends that users be educated about threats against passwords and how they should respond. The publication also suggests that for some applications with high security needs, password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.
Copies of this initial public draft of SP 800-118 Guide to Enterprise Password Management are available at http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf. NIST is requesting public comment on the draft through May 29, 2009. Comments should be sent by email to email@example.com.