Goodbye Password Expiry Policies, NIST 800-63 is Here

NIST have published the 800-63 Standards "Digital Identity Guidelines" and with it have updated various standards of identify management.

I'm still to go through it all (boring maybe, but useful for my job).

Among some of the changes are passwords, they now recommend (mandatory) a minimum of 8 characters. they may impose a check on known lists and ask for a different password (e.g. use of a password on a password list) but should not impose any other requirements. this includes things like password expiry policies, "complex" passwords mandating the use of multiple character types.

They should also allow a minimum of 64 characters (truncation is not allowed) and allow any type of character (including for example unicode)

password hints are not allowed.

Among many other things.

Don't know about anyone else, but its good to finally see password expiry being removed as a mandatory requirement in standards. Now just need to convince everyone its a good idea to follow it sooner than later.

9 Likes

That sounds lovely - but until my company adopts to that ... I am most likely looking forward to retirement.

3 Likes

Password expiry is a unique pain in the ass for me because I don't have an AD connected windows machine.

This means when my AD password expires (which I get no warning of) I have to make a helpdesk ticket and one of the techs (who work for me) has to reset my password so I can continue to receive emails.

The AD account is the only one with an expiry timeout (90 days seems a bit excessive tbh)

All it makes me do is use a password manager, but when it comes to other employees, I see sticky notes on monitors way too much for a company that prides itself in security. Anyone who gets a tour of the office could easily steal full credentials of half the office.

I'm willing to bet that 90% of employees in 90% of businesses use oldpassword + 1 or some combination of.

Password expiry and "complex" password policies do nothing but burden the user and create weak passwords.

Funny enough the use of multiple factors is what the new standards recommend. Decent password + other factor.

6 Likes

The creation of weak passwords is the major thing in my industry. We, by necessity, have internal portals on public IPs because a lot of people do field work where VPN is not an option. Weak passwords on these sites only serve to undermine our corporate secrets and it annoys the hell out of me.

2FA is really the only decent option for security these days that doesn't inconvenience the end user too much.

1 Like

I've heard of the new standard as well and I was super happy when I read that there is finally an official standard for what was my sense of security all along. Without this, it's practically impossible to convince people in the position to change this and with this it might finally be possible.

I can only agree. However, I've met (rather tech-savvy) people before who don't want to use it, because they say it's not necessary for them, since they have a password-manager that they only use at home and they don't log into any site outside of their home (go figure).

Anyways, I need to forward that NIST site to my local admin :smile:

That's fair. I definitely have to plea guilty to this in some situations. I have a password manager, just because on any given day, I'm using 30 different services. It's just too much for me to keep track of :confused:

My boss used to have lastpass. I managed to get him switched to this one.

I did this as soon as I saw this thread. We just had a SOX audit and they weren't happy with our 180 day expiry and forced us to switch to 90. My boss (CTO) is now on a righteous crusade to get rid of password expiry and complexity requirements.

I haven't heard of that addon before. The idea of storing passwords in your own cloud seems good to me, but how does it integrate with the browser?

All power to him :smile:

I'm waiting for SQRL to be finished and released. Should make things a lot easier to use whilst remaining secure.

It's pretty much on par with lastpass. At least the features I could find between the two.

Damn, there goes the rest of my day. Looking into that.

1 Like

So you need to install an addon that grabs the database from the local drive? I read through the readme but didn't get a hint how exactly it works.

Basically, yeah. Install the addon or use the web-ui. The addon will auto-fill login forms and will auto-detect logins and ask if you want to add an account.

1 Like

Password expiration only works in military setting when you are required/forced to memorize alpha-numeric sequences.

IRL it just trains people to make weaker derivative passwords.

In my IT experience, 90% of a company will have their password use either the date, the company's name, or a variation of the default password IT gives out.

At my job, We do not allow anythin similar to last 3 passwords. Some older employees call in and d password +1. These employess do not have access to critical data so it's ok i guess... :confused:

I do not agree. Passwords expiring is good in my experience.

You guys use OWA? You can change your password from there now...

Social engineering black hats would have field day :smile: :sunglasses:

We do, TIL. Thanks!

Reasons I hate people.

2 Likes

There's always a way around it. When you enforce complex password rules and enforce unreasonable password expiry what you end up with is this.

CompanyMonthYYYY or a similar variation of. It's completely bypasses your security checks while still being completely insecure. But it's easy to remember when your company keeps making you change passwords.

I've never heard of people using CompanyMonthYYYY, That may sound crazy... Atleast at my job they don't. They do go for Wife/Mother maiden name, favorite Sports team and SS# which is worse

I'm almost tempted to run a check against all users passwords now...

You have visibility? Hmmm surprised they are not hashed and salted

Oh no. I don't. I can make login attempts though.

I can also disable lockouts. I'm domain admin when I need to be, but I'm mostly a linux engineer.

1 Like