[Global_industry_committee] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Colin Watson colin.watson at owasp.org
Tue May 19 09:04:28 EDT 2009


Leaders

The Industry Committee is preparing an OWASP response to the NIST
draft Special Publication "800-118 Guide to Enterprise Password
Management":

  http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

Contents:

  1. Introduction
     1.1 Authority
     1.2 Purpose and Scope
     1.3 Audience
     1.4 Guide Structure
  2. Introduction to Passwords and Password Management
  3. Mitigating Threats Against Passwords
     3.1 Password Capturing
       3.1.1 Storage
       3.1.2 Transmission
       3.1.3 User Knowledge and Behavior
     3.2 Password Guessing and Cracking
       3.2.1 Guessing
       3.2.2 Cracking
       3.2.3 Password Strength
       3.2.4 User Password Selection
       3.2.5 Local Administrator Password Selection
     3.3 Password Replacing
       3.3.1 Forgotten Password Recovery and Resets
       3.3.2 Access to Stored Account Information and Passwords
       3.3.3 Social Engineering
     3.4 Using Compromised Passwords
  4. Password Management Solutions
     4.1 Single Sign-On Technology
     4.2 Password Synchronization
     4.3 Local Password Management
     4.4 Comparison of Password Management Technologies

Appendix A— Device and Other Hardware Passwords
Appendix B— Glossary
Appendix C— Acronyms and Abbreviations

This is already a very comprehensive document, but we have drafted
some additional web apllication comments, mainly referencing the OWASP
Development Guide:

  http://www.owasp.org/index.php/Industry:Draft_NIST_SP_800-118

Please let me know any additional ideas, comments, changes via the
wiki (under "Draft 1 Comments), by direct email or using the Industry
Committee mailing list:

  http://www.owasp.org/index.php/Global_Industry_Committee

Our deadline to submit to NIST is 29 May.

Regards

Colin Watson
Global Industry Committee


More information about the Global_industry_committee mailing list