Today I'm going to say some words about NIST 800-188 "Guide to enterprise password management". Before this I read about Firewall and secure virtualization. Well, I found these standards quite useful, because of their ability to systematize information connected with specific information security theme. Unfortunately, in these standards I didn't find any new information. Maybe, the reason is that a lot of corporate security instruments use in their methodology NIST basics.
Let's come back to NIST about password management. Shortly, this standard consists of intro, chapter about threats against passwords and password management. As always in intro you can find all necessary definitions and brief description of further chapters.
Threats centered around capturing, transmission and cracking. Speaking about capturing I would like to mention interesting thing about caching passwords in swap and while hibernation. I don't hear about special utilities which can clean memory swap and hibernation file. Also there were a lot of researches connected with recovering passwords from such places (eForensics magazine, for example).
Transmission attacks are divided in two groups: sniffing and replay attacks. From my point of view, nowadays only one authentication protocol can be widely used in corporate networks "ou-of-box" - Kerberos. It has a lot of advantages, such as ticket granting system, strong crypto protocols. Authors of NIST also give their preferencesto this authentication protocol, because you can use it in your Windows environment, also with Heimdal Kerberos. Thank you, MIT))
Cracking part is devoted to different well-known techniques, such as brute force, dictionary attack and rainbow tables. Nowadays, from my point of view, password cracking fully depends on computing power. Good salted passwords can make this type of attack ineffective.
As far as passwords are mentioned, we can find in NIST information about, what a good password is. From my point of view, you should find happy medium between strength and employee's ability to remember such passwords. The main rule is that length is much more vital than complexity. That's why password phrases are quite useful.
Management recommendations give a piece of advice about using SSO (Single Sign On) where it is possible. Using of master passwords also has disadvantages, but it is transparent to user and easy to remember.
In conclusion, I can advice to read this standard only to check your corporate password policy or if you are new to password protection theme.
Let's come back to NIST about password management. Shortly, this standard consists of intro, chapter about threats against passwords and password management. As always in intro you can find all necessary definitions and brief description of further chapters.
Threats centered around capturing, transmission and cracking. Speaking about capturing I would like to mention interesting thing about caching passwords in swap and while hibernation. I don't hear about special utilities which can clean memory swap and hibernation file. Also there were a lot of researches connected with recovering passwords from such places (eForensics magazine, for example).
Transmission attacks are divided in two groups: sniffing and replay attacks. From my point of view, nowadays only one authentication protocol can be widely used in corporate networks "ou-of-box" - Kerberos. It has a lot of advantages, such as ticket granting system, strong crypto protocols. Authors of NIST also give their preferencesto this authentication protocol, because you can use it in your Windows environment, also with Heimdal Kerberos. Thank you, MIT))
Cracking part is devoted to different well-known techniques, such as brute force, dictionary attack and rainbow tables. Nowadays, from my point of view, password cracking fully depends on computing power. Good salted passwords can make this type of attack ineffective.
As far as passwords are mentioned, we can find in NIST information about, what a good password is. From my point of view, you should find happy medium between strength and employee's ability to remember such passwords. The main rule is that length is much more vital than complexity. That's why password phrases are quite useful.
Management recommendations give a piece of advice about using SSO (Single Sign On) where it is possible. Using of master passwords also has disadvantages, but it is transparent to user and easy to remember.
In conclusion, I can advice to read this standard only to check your corporate password policy or if you are new to password protection theme.
No comments:
Post a Comment