[Owasp-delhi] FW: [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Soi, Dhruv dhruv.soi at owasp.org
Tue May 19 09:13:16 EDT 2009

Might be of your interest as well...

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Colin Watson
Sent: Tuesday, May 19, 2009 6:34 PM
To: owasp-leaders at lists.owasp.org; Global_industry_committee at lists.owasp.org
Subject: [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to
Enterprise Password Management


The Industry Committee is preparing an OWASP response to the NIST
draft Special Publication "800-118 Guide to Enterprise Password



  1. Introduction
     1.1 Authority
     1.2 Purpose and Scope
     1.3 Audience
     1.4 Guide Structure
  2. Introduction to Passwords and Password Management
  3. Mitigating Threats Against Passwords
     3.1 Password Capturing
       3.1.1 Storage
       3.1.2 Transmission
       3.1.3 User Knowledge and Behavior
     3.2 Password Guessing and Cracking
       3.2.1 Guessing
       3.2.2 Cracking
       3.2.3 Password Strength
       3.2.4 User Password Selection
       3.2.5 Local Administrator Password Selection
     3.3 Password Replacing
       3.3.1 Forgotten Password Recovery and Resets
       3.3.2 Access to Stored Account Information and Passwords
       3.3.3 Social Engineering
     3.4 Using Compromised Passwords
  4. Password Management Solutions
     4.1 Single Sign-On Technology
     4.2 Password Synchronization
     4.3 Local Password Management
     4.4 Comparison of Password Management Technologies

Appendix A- Device and Other Hardware Passwords
Appendix B- Glossary
Appendix C- Acronyms and Abbreviations

This is already a very comprehensive document, but we have drafted
some additional web apllication comments, mainly referencing the OWASP
Development Guide:


Please let me know any additional ideas, comments, changes via the
wiki (under "Draft 1 Comments), by direct email or using the Industry
Committee mailing list:


Our deadline to submit to NIST is 29 May.


Colin Watson
Global Industry Committee
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the Owasp-delhi mailing list