Skip to Content.
Sympa Menu

assurance - RE: [Assurance] Password scheme design tool...

Subject: Assurance

List archive

RE: [Assurance] Password scheme design tool...

Chronological Thread 
  • From: "Roy, Nicholas S" <>
  • To: "" <>
  • Subject: RE: [Assurance] Password scheme design tool...
  • Date: Tue, 13 Dec 2011 22:10:01 +0000
  • Accept-language: en-US

It also appears to add a new "session hijacking" requirement at level 2,
which contains some detail about cross site request forgery attacks, and
makes a distinction between weak and strong resistance to man-in-the-middle
attacks, where for weak resistance, the user has to be minimally aware that
the login session is secure (presumably via an SSL padlock icon, etc.) I'm
not sure how you accomplish this in an enterprise setting where users can be
asked for their passwords many different ways, not all of which are easily
identifiable to the user as "secure."

For those concerned with the language in 800-63 about salted password hashes
(delicious!) and Active Directory, I checked and the requirement to use a
variable salt still exists, and is actually more detailed with regard to how
you should do the salting (a global salt plus username, for example). Not
that Silver is targeting 800-63 level 2, but just in case you might want to
someday reach NIST LoA 2 with AD in the mix...


-----Original Message-----

On Behalf Of Mark John Rank
Sent: Tuesday, December 13, 2011 12:44 PM

Subject: Re: [Assurance] Password scheme design tool...


Yeah, I leafed through the public comment draft. Near as I could tell, the
majority of the pages came from additional discussions about other Auth
mechanisms. Appendix A looked unchanged to me.


Mark Rank - IAM Program Manager
University Information Technology Services

Phn: 414-229-3706

----- Original Message -----
From: "RL 'Bob' Morgan"

Sent: Tuesday, December 13, 2011 12:37:48 PM
Subject: Re: [Assurance] Password scheme design tool...

Also worth noting perhaps that the long-awaited revision to NIST SP 800-63
(800-63 Rev 1) has been published this month, see

As before Appendix A has a lot of material about password entropy. I don't
know if it differs substantially from previous versions of 800-63.
Still no spreadsheet as far as I can tell. But the overall document has gone
from 54 to 109 pages, so it must be twice as good.

- RL "Bob"

Archive powered by MHonArc 2.6.16.

Top of Page