NIST Password Guidance

One of the most common security measures for cyber systems and even access control systems is the use of a password to authorize system access. Most computer users have multiple passwords and face the constant conflict between maintaining adequate security and remembering complicated passwords. Sitting on the other side of the problem is the security manager that faces the same conflict, protecting the system yet allowing authorized users access to the system. The National Institute of Standards and Technology (NIST) recently weighed in on this problem with the publication of a draft guidance document on password management. NIST Special Publication 800-118 (DRAFT) has been prepared by the Information Technology Laboratory (ITL) at NIST to assist federal information system managers in selecting appropriate password standards for their systems. As with many unclassified draft documents prepared by government agencies, NIST is accepting public comments on the “Guide to Enterprise Password Management (Draft)”. Comments may be emailed to NIST at 800-118commends@nist.gov , with “Comments SP 800-118” typed in the subject line. Comments need to be sent to NIST by May 29th. Password Management The problem boils down to this, the more complex the password requirement is the more likely it becomes that people will forget their password or compromise it by writing it down as a memory aid. On the other hand, the easier the password is to remember, the easier it is for system hackers to guess or determine through brute-force sign-on attempts. To counter this problem the enterprise must establish a password management system. The draft NIST document defines the requirements for such a system this way (pg ES-1):

“This publication provides recommendations for password management, which is the process of defining, implementing, and maintaining password policies throughout an enterprise. Effective password management reduces the risk of compromise of password-based authentication systems. Organizations need to protect the confidentiality, integrity, and availability of passwords so that all authorized users—and no unauthorized users—can use passwords successfully as needed.”

The document goes on to identify four general recommendations that organizations should implement to protect the confidentiality of their passwords (pgs ES-1 to ES-2):

“Create a password policy that specifies all of the organization’s password management-related requirements.” “Protect passwords from attacks that capture passwords.” “Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.” “Determine requirements for password expiration based on balancing security needs and usability.”

Background Information While the management guidelines presented in this document are certainly valuable, for most organizations just now taking a serious look at cyber security issues, the second and third sections of this document may actually be more valuable. Section two provides a detailed discussion about the use of passwords. Section three provides a look at the various threats to password security and ways that those threats can be mitigated. As security managers at high-risk chemical facilities start looking at their cyber security efforts for their site security plans, this document will be a valuable reference work. The document is relatively short (only 38 pages) and it is very readable; especially considering the agency that prepare the document. It should be downloaded and read by all security managers, but especially those at high-risk chemical facilities.