Password expiration and compliance (ISO, NIST, PCI, etc)

The current version of PCI DSS is 3.2.1*, and in section 8.2.4 it requires users to change their passwords every 90 days. Section 8.2.5 requires that passwords must not be the same as any of the four previous passwords (note that it does not prescribe how this is to be accomplished; the standard does not specifically state the "storage of hashes" is required.)

However, this document is clearly not based on state-of-the-art password security because section 8.2.3 of the same document requires passwords be a "minimum length of at least seven characters" and include "both numeric and alphabetic characters." Modern computers can run password cracking software that will brute force a 7-character alphanumeric password in seconds. Because of this poor requirement alone, it is hard to believe that any of their password security requirements are based on research, or are effective.

That said, our knowledge that this standard is not good enough doesn't mean we can ignore it. No matter what, we're stuck with a 90 day rotation policy, whether or not it provides any useful defense against an attacker, or whether or not it exposes our users to inconvenience or additional risk, because we are contractually obligated to meet the PCI standards. Instead, since we are aware that the standard is inadequate in this regard, what we need to do is implement a responsible security policy in our organizations that address the known problems (requiring a 14 character password that meets the other draft NIST recommendations in 5.1.1.2, for example) that still complies with all the requirements of the DSS. Having an organizational security policy and following it is Requirement 12 of the DSS, and it's actually a very good one.

* PCI DSS 3.2 was current as of 2017. In 2018 the version was updated to 3.2.1, a minor update that made no changes to password advice.


To answer your Questions first, from an ISO 27001 perspective, it does not prescribe what should be your Expiration duration, neither does it specify how many old Passwords you should retain.

Instead, it provides generic guidelines on Password Management. For sake of compliance & to satisfy Auditors, it is better to have a Password expiration duration of no more than 90 days, & retain at least last 2 Passwords to prevent re-use.

ISO 27k1 does explicitly mention that we should "maintain a record of previously used Passwords and prevent re-use" but it does not specify how many of them should be retained.

Entire control & implementation mentions something like this.

Control A.9.4.3

Password Management System shall be interactive and shall ensure quality Passwords.

As per ISO 27001, a Password Management System should (with my own comments added).

  • maintain accountability by enforcing use of Individual User IDs and Passwords.

  • Users should be able to select & change their Password whenever necessary, basically meaning that Users have control over their Password.

  • include a confirmation procedure to allow for input errors for times when Users make a mistake logging in.

  • enforce good quality Passwords, which should ideally be defined in your Password Policy & enforced in your Application.

  • force Users to change their Passwords when they log-on for first time, without which Users are unlikely to change their default Password at all. Force-update of Password should be implemented when it is reset by Admins too.

  • enforce regular Password changes, which should ideally be 90 days or less. Auditors seem to prefer 30 days but that may be too much.

  • retain previously used Passwords and prevent their re-use, but it is not specified how many Passwords should be saved.

  • not display Passwords on the screen when being entered, which is logical.

  • store Password data separately from Application System data, although I am unsure how practical this is to implement from an architecture point of view.

  • store and transmit Passwords in protected form, like SSL for online applications.

Tags:

Passwords

Pci Dss

Password Policy

Iso27001

Nist

Related

How did "tech-supportcenter" phishers trick Google? How can I prove this site has a huge security weakness? Is this invalid HTTP_HOST header part of an exploit? Protect Raspberry Pi's physical sd card to be swapped Security concerns issuing wildcard certificates to individual employees What is the difference between a backdoor and a rootkit? How do mobile apps maintain such long sessions while still being considered secure? Security implication of telling the user they can't login because of too many attempts from IP Why does a SSH server need a host key-pair? Is WhatsApp or Facebook Messenger secret conversation a reasonable method for transferring passwords? Why do some sites ask for username/email and password on two separate screens? Can a website download documents, images, or other information onto my iMac without my consent or awareness?

Recent Posts