Password security

There has been considerable discussion on reducing or removing the complexity and change interval requirements for passwords.  This was triggered by the publication of four standards from NIST dealing with this topic (SP800-63-3 series).

While the recent NIST guidance has the potential to make password policies more “user friendly” it relies on implementing new system controls, such as increasing the authentication and verification controls, moving to multi-factor authentication and stronger identity access management.

The forced change interval requirement addresses the issues of loss, compromise or discovery of passwords.

The NZISM password requirements including the change interval requirements are designed to work as part of a control set, rather than as individual controls. Until additional system controls are addressed in the NZISM the current guidance on change interval requirements for passwords stands.

There has been considerable discussion on reducing or removing the complexity and change interval requirements for passwords.  This was triggered by the publication of four new standards from NIST dealing with this topic (SP800-63-3 series).

While the recent NIST guidance has the potential to make password policies more “user friendly” it relies on implementing new system controls, such as increasing the authentication and verification controls, moving to multi-factor authentication and stronger identity access management.

The complexity requirements, such as special characters and length, strengthen the password by enforcing the use of more unique passwords that are harder to crack.

The NZISM password requirements including the complexity requirements are designed to work as part of a control set, rather than as individual controls. Until additional system controls are addressed in the NZISM the current guidance on complexity requirements for passwords stands.