Password Policies

By December 20, 2017Uncategorized

NIST & Passwords – What American Standards Can Provide to Companies in Ottawa.

Ottawa IT companies will be required to report data breaches or face fines on top
of a loss of the public’s trust in the computer services they are providing. If
you are a business in Ottawa using one of the many IT companies in Ottawa, are
responsible for computer services in Ottawa or are subject to PIPEDA regulation,
you should start looking in to NIST standards for computer security.

Below is an explanation of some of the NIST SP 800-63B-3 guidelines for passwords
released in June 2017. NIST recommendations are in accordance with FISMA regulation,
so they are US Federal agency standards. They are also the standard reference for
enterprises offering services where Personally Identifiable Information will be handled.
Meaning that they can help Ottawa computer services users and IT companies in Ottawa
keep their information as secure as possible

Password Length: NIST recommend that if the password “is chosen by the subscriber”,
it must be at least 8 characters long. Since the publication of these standards.
Norwegian company, Stricture Consulting Group, built a 5-server system utilising 25
AMD Radeon Graphics cards and programmed to behave like a single desktop computer, to
bring the time to crack an 8-character password from 83.5 days down to just 5.5 hours.
As infeasible and impractical for a potential attacker to have such capabilities, it is
not impossible. If you used a 10-character password, it would take this system over 5
years to crack it.

Complexity: It is recommended that you use upper and lower-case letters, numbers and
punctuation characters. If the attacker was to figure out that your password consisted
of just numbers and lower-case letters, it significantly reduces the amount of time it
would take to crack your passwords .

Hints: Hints that an unauthorised user can access, should never be used. This not only
applies to hints displayed at the log on screen, but to hand-written copies of hints, or
worse, passwords. The first stages of planning an attack involve gathering as much
information as possible. Dumpster diving and shoulder surfing are often lucrative steps
performed during this phase of an attack. Most pen testers out there will tell you that
when performing a black-box pen test, information gathering, research and reconnaissance
are the most valuable activities to the process.

Changing passwords: Changing passwords regularly seems like a good idea, but with all
the confusion it can generate it does more harm than good. NIST are aware of this and
under the standard, it is only necessary to change a password if there is an indication
of a password being compromised.

With implementation of just these 4 simple considerations from the NIST SP 800-63B-3
standard, IT companies in Ottawa can be certain that it will strengthen their overall
IT security posture, and help provide clients of their computer services in Ottawa
peace of mind that their data is as safe as possible.