[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Jeff Williams jeff.williams at owasp.org
Tue May 19 13:59:56 EDT 2009


Hi all,

I think this is a great effort and that it's wonderful for OWASP to raise
awareness, particularly at NIST, about the way the Internet security works
at the application layer.

When providing feedback to a government agency via a notice and comment
request, it's very important to realize that while they are required by law
to request feedback, they are not really obligated to do anything with that
feedback.

Therefore, it is critically important to have a ONE page summary as the
first page, and to have THREE recommendations on that page. Two is too few,
four is too many. Choose wisely, as your opportunity to influence them is
extremely limited. Think about what will motivate them to actually change
what they are doing!

I have some contacts at NIST and can work with them to make sure that our
feedback gets the appropriate attention, but it needs to be crisp and
focused first.

Good luck! Be compelling!

--Jeff

Jeff Williams, Chair
The OWASP Foundation
Work: 410-707-1487
Main: 301-604-4882


> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> bounces at lists.owasp.org] On Behalf Of Colin Watson
> Sent: Tuesday, May 19, 2009 9:04 AM
> To: owasp-leaders at lists.owasp.org;
> Global_industry_committee at lists.owasp.org
> Subject: [Owasp-leaders] Draft NIST Special Publication 800-118 Guide
> to Enterprise Password Management
> 
> Leaders
> 
> The Industry Committee is preparing an OWASP response to the NIST
> draft Special Publication "800-118 Guide to Enterprise Password
> Management":
> 
>   http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
> 
> Contents:
> 
>   1. Introduction
>      1.1 Authority
>      1.2 Purpose and Scope
>      1.3 Audience
>      1.4 Guide Structure
>   2. Introduction to Passwords and Password Management
>   3. Mitigating Threats Against Passwords
>      3.1 Password Capturing
>        3.1.1 Storage
>        3.1.2 Transmission
>        3.1.3 User Knowledge and Behavior
>      3.2 Password Guessing and Cracking
>        3.2.1 Guessing
>        3.2.2 Cracking
>        3.2.3 Password Strength
>        3.2.4 User Password Selection
>        3.2.5 Local Administrator Password Selection
>      3.3 Password Replacing
>        3.3.1 Forgotten Password Recovery and Resets
>        3.3.2 Access to Stored Account Information and Passwords
>        3.3.3 Social Engineering
>      3.4 Using Compromised Passwords
>   4. Password Management Solutions
>      4.1 Single Sign-On Technology
>      4.2 Password Synchronization
>      4.3 Local Password Management
>      4.4 Comparison of Password Management Technologies
> 
> Appendix A- Device and Other Hardware Passwords
> Appendix B- Glossary
> Appendix C- Acronyms and Abbreviations
> 
> This is already a very comprehensive document, but we have drafted
> some additional web apllication comments, mainly referencing the OWASP
> Development Guide:
> 
>   http://www.owasp.org/index.php/Industry:Draft_NIST_SP_800-118
> 
> Please let me know any additional ideas, comments, changes via the
> wiki (under "Draft 1 Comments), by direct email or using the Industry
> Committee mailing list:
> 
>   http://www.owasp.org/index.php/Global_Industry_Committee
> 
> Our deadline to submit to NIST is 29 May.
> 
> Regards
> 
> Colin Watson
> Global Industry Committee
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the Global_industry_committee mailing list