New Password System to Kick in Soon

For ages users are fed up of Password Policy enforced by IT System administrators. Sooner you may get rid of complex Passwords. All major vendors and organisations will soon adopt new Passoword Guidelines in new computing era.


The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST only regulates federal agencies, corporate security teams are taking advantage of their guidelines.NIST has  drafted new rules and recommendations for protecting digital identities.NIST advises agencies to jettison outdated password complexity rules in favor of user-friendliness. Hera are new recommendations:

1. NIST recommends removing all password complexity rules, they just create a false sense of security.Length matters a lot more, which is why the new guidelines call for a strict 8-character minimum and even suggested moving character maximums to at least 64. Blank space allowed.

2. No Periodic Password Resets: Frequent mandatory password resets can even make security worse, they tend to make them weaker from the start.

3. Enable "Show Password While Typing": during typing, User have a much better shot at putting lengthy passwords in correctly on the first try.

4. Allow Paste in Password Fields: “Paste” functionality is now advantageous due to the widespread use of password managers. 

5. Forbid Commonly Used Passwords like dictonery words.

6. Don't Use Password Hints or Secret Questions.

7. Limit the Number of Password Attempts: There is a wide spread between the number of guesses a typo-prone user needs and the number of guesses an attacker needs

8. Password Storage: Many security attacks have nothing to do with weak passwords and everything to do with the authenticator's storage of passwords.  NIST guidelines require that passwords be salted with at least 32 bits of data and hashed with a one-way key derivation function such as Password-Based Key Derivation Function 2 (PBKDF2) or Balloon.

9. Multifactor Authentication: The NIST requires multifactor authentication, commonly referred to as 2FA (2-Factor Authentication): A verification that requires users to demonstrate at least two of “something you know” (like a password or sms otp), “something you have” (like a phone), and “something you are” (like a fingerprint) drastically decreases the probability of a successful attack.

The new NIST guidelines reveal an important moral: easier, more convenient security will make more people take proper precautions, So make your system intelligent. The extraneous password rules are just making things worse. Recent studies have shown that the conventional wisdom on passwords is wrong, so organisation need to rethink password strategies to stop wasting time on password complexity and focus on security and effective preventative measures like extra salting and 2FA.
Detailed guidelines here https://pages.nist.gov/800-63-3/sp800-63b.html


the fourteen (14) sections of ISO 27002:2013 security controls fit within the twenty-six (26) families of NIST 800-53 rev4 security controls. ISO 27002 is essentially a subset of NIST 800-53. However, the NIST Cybersecurity Framework (NIST CSF) takes parts of ISO and parts of NIST to create a type of "middle ground" that is inclusive of NIST 800-53, but not ISO 27002. That makes the NIST CSF better for smaller companies, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements.
from an ISO 27001 perspective, it does not prescribe what should be your Expiration duration, neither does it specify how many old Passwords you should retain.
Instead, it provides generic guidelines on Password Management. For sake of compliance & to satisfy Auditors, it is better to have a Password expiration duration of no more than 90 days, & retain at least last 2 Passwords to prevent re-use.
ISO 27001 does explicitly mention that we should "maintain a record of previously used Passwords and prevent re-use" but it does not specify how many of them should be retained.
Entire control & implementation mentions something like this.
Control A.9.4.3

Password Management System shall be interactive and shall ensure quality Passwords.

- Vinod Kotiya

Comments