Identity & Access Management
Security Congress Abstract
Two significant changes in NIST’s 2017 password guidance are you don’t have to change a password unless you suspect it is compromised and you don’t have to visit the upper row of your keyboard to compose a password. But people continue complaining about the Sisyphean task of managing passwords.
The speakers will describe guidance on: syntax, management, and strengthing secure storage of passwords; usability; and second-factor tokens including the risk of using SMS to convey authentication information.
The PCI DSS currently follows the NIST 2004 password guidance but allows an organization to deploy alternative approaches if it can be shown that the resulting risk is less than that resulting from complying to the requirement as written. The speakers will describe possible approaches to password syntax and changing passwords.