Concerned About Your Business Cyber Security?

(877) 321--7374

Wait What? We don?t have to change passwords every 90 days?, (Wed, May 17th)

/. Recently published a post covering a draft NIST Standard that is in review [1]. This handler thought it would cause a disturbance in the force, but so far no one is discussing it. One of the big stand out changes is no more periodic password changes [2]. There are several others as well, and CSO Online has a fantastic summary review [3].

There are some clear differences that stand out right away in the introduction. As with most things, standards evolve as we learn.

padding:5px 10px”> Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network. This recommendation provides technical guidelines to agencies to allow an individual person to remotely authenticate his/her identity to a Federal Information Technology (IT) system. [4]

Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject. In other words, accessing a digital service may not mean that the physical representation of the underlying subject is known. [2]

The new draft goes on from there to outline digital identity and attempts to clearly define access and uses more risk based language.

One clear change that will shock users is the removal of periodic password changes. The handlers agree that a strong review of this draft is in order for security professionals as we can hear the users now:

Wait, you have been forcing me to change my passwords ALL THIS time, and now your saying it is not needed?

Another section that should be reviewed and discussed deeply is 5.2.7 Verifier Compromise Resistance. According to the section there should be some mechanism to verify compromise resistance. One could interpret this to run passwords against breached credential databases, however this is not specifically called out [2] [3].

In conclusion, this standard is a strong deviation from previous recommendations and should be reviewed for impact to your security practice. (There is that disturbance in the force we were looking for).

[1] https://it.slashdot.org/story/17/05/09/1542236/nists-draft-to-remove-periodic-password-change-requirements-gets-vendors-approval

[2] https://pages.nist.gov/800-63-3/sp800-63b.html

[3] http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ready For ASuperheroI.T. Solution?

Permission to communicate electronically * Shield adheres to the Canada Anti Spam Law or CASL. By submitting our website forms, you are granting us express consent to contact your company by email. Click here for more Information and FAQS on the CASL.

Shield Networks Inc.

Shield Networks Provides Cyber Security, Network Security, Computer Security and IT Security Solutions For Companies Across Canada. Book Your Complimentary Cyber Security Consultation Using Our Contact Information Below.

(877) 321--7374

Info@ShieldNetworks.ca

  • Winnipeg, Manitoba

    330 St. Mary Avenue, Suite 300
    Winnipeg, MB R3C 3Z5

  • Selkirk Manitoba

    217 Clandeboye Ave Selkirk, MB, R1Z 0X2

Real Time Web Analytics