GCN Writer William Jackson writes on NIST special publication 800-118 that offers guidelines for password management in the enterprise. The article can be accessed here.
Lets take a peek at the special publication draft.
The publication defines Password management as the process of defining, implementing, and maintaining password policies throughout an enterprise.
NIST recommends protecting the confidentiality of passwords:
1. Create a password policy that specifies all of the organization’s password management-related requirements, including FISMA and other regulatory requirements. “An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various operating systems and applications.”
2. Protect passwords from attacks that capture passwords. “Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.”
3. Configure password mechanisms to reduce the likelihood of successful password guessing and cracking. “Password guessing attacks can be mitigated rather easily by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a brief delay after each failed authentication attempt or locking out an account after many consecutive failed attempts. Password-cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking.”
4. Determine requirements for password expiration based on balancing security needs and usability. Regularly changing passwords “is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts.”
These are practical guidelines that will help enterprises deal with issues surrounding passwords. Alternative mechanisms such as smart cards augmented by knowledge based authentication mechanisms probably need to be explored. There is no alternative for strong PKI. This sentiment is aired by the publication with "Therefore, organizations should make long-term plans for replacing password-based authentication with stronger forms of authentication for resources with higher security needs."