assurance - [Assurance] Password Strength Requirements
Subject: Assurance
List archive
- From: Benn Oshrin <>
- To:
- Subject: [Assurance] Password Strength Requirements
- Date: Wed, 08 Aug 2012 14:00:47 -0400
Back in December, there were some spreadsheets sent around discussing the "sliders" to select password policies as required by ยง4.2.3.[2,3]. Bronze and Silver basically reference 800-63-1 appendix A which, as I understand it, essentially says your password management policy is calculated from
- The complexity required for the password (length, dictionary, composition)
- The number of unsuccessful attempts required before the password must be locked/changed
- Time introduced to frustrate attacks, via lockouts
I'm curious about what approaches people are settling upon now. For example,
- Is anyone (considering) maintaining a simple failed authentication counter per-password, and expiring the password once the counter reaches the limit permitted by the complexity for the level (Bronze/Silver) of interest? (ie: no lockout, no scheduled expiration)
- Where password lockout is being used (for n amount of time after m failed attempts, but then unlocking the password without reset unless it has expired), what "slider" settings are you using/planning to use compared to what you previously used/currently use? How, if at all, are you (planning on) handling DOS risk?
- Are you (planning on) requiring longer passwords?
(We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm less interested in that aspect.)
Is there any sense that these requirements are "too strong" for Bronze/LOA1? Or, less likely, "too weak"?
Thanks,
-Benn-
- [Assurance] Password Strength Requirements, Benn Oshrin, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Eric Goodman, 08/08/2012
- RE: [Assurance] Password Strength Requirements, Dergenski, Todd A., 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Tom Scavo, 08/09/2012
- <Possible follow-up(s)>
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, David Bantz, 08/08/2012
- [Assurance] Re: Password Strength Requirements, Jon Miner, 08/08/2012
- Re: [Assurance] Re: Password Strength Requirements, Stefan Wahe, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
Archive powered by MHonArc 2.6.16.