NIST Guide to Enterprise Password Management
Posted by Brian Milas - CTO on Thu, Apr 30, 2009
NIST Special Publication (SP) 800-118 - DRAFT (PDF)
NIST has published a DRAFT Guide to Enterprise Password Management. Network World has commented on the draft standard. After skimming both articles, here are some additional thoughts. The Network World article starts off by describing why passwords are bad, difficult to use, written down etc. With any form of authentication, we could come up with things that we don't like about them. Hard tokens are expensive and I have to carry around another device. Or WebSSO is great, but I can't afford to refactor my legacy applications to use a new authentication model. ESSO makes systems easy to use but has a "keys to the kingdom" consideration. Fundamentally, this comes down to a trade-off between security and the service/cost that's appropriate for the business. You can't make everything bulletproof, so mitigate your risk. The content of the NIST guide has many best practice recommendations for companies to evaluate for their business:
- strong authentication 2 or 3 factor
- password policies (strength, expiration, lockout)
- securely storing passwords
- combating password cracking/guessing attacks
- education to combat social engineering
The guide also discusses password management as a broad topic, encompassing many products that relate to passwords (rather than the traditional password reset products)
- ESSO
- password synchronization
- local password management (local password vault)
I agree, that "password management" is broadening to include these capabilities, one might extend the notion of password management farther, also incorporating:
- Web Access Management
- Federation
- Privileged User (administrators) management
What are your thoughts?