Login

Register

Login

Register

#cybersecurity | #hackerspace |

The War of Passwords: Compliance vs NIST


The most recent National Institute of Standards and Technology (NIST) guidelines have been updated for passwords in section 800-63B. The document no longer recommends combinations of capital letters, lower case letters, numbers and special characters. Yet most companies and systems still mandate these complexity requirements for passwords. What gives?

There’s a bit of an arms race between NIST and compliance regulations. SOX, SOC2, PCI, etc, all have some password complexity commentary. These have been influenced by NIST in the past, and systems have been updated to require combinations of letters, numbers and symbols so that companies who need to attain these compliance certifications can require their users to implement them.

Legacy and Technical Password Limitations

On top of regulations, there are the technical system requirements for passwords. Some have password encryption but no enforcement of character complexity. Some have fine tuning so that the administrator can identify exactly what special characters / letter cases / number combinations are required. And still others were created in the days when storage was at a premium, leading them to still only use the first 8 characters of what you type in as your password anyway. It all depends on what the leading school of thought was when the tool was created and to what compliance regulations the tool manufacturer thought might be needed.

The scope of which tools fall under which compliance framework is different for every company. Two companies may be using the same tool, such as Salesforce, but depending on how they use it and who has access, one might fall under SOX and the other not.

Over the last decade, the various changes in NIST – the addition of numbers, the assignment of acceptable symbols, and the suggestion of the ideal number of characters – have become (Read more…)



Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW