paul-grassi
commented
7 years ago Thank you for your consideration and review of these documents. We have carefully considered your feedback, and have addressed in older issues why we will retain the requirements currently specified.
Organization Name (N/A, if individual): N/A
Organization Type (see below for codes): 4
Document (63-3, 63A, 63B, or 63C): 63B
Reference (Include section and paragraph number): 5.1.1.1. Memorized Secret Authenticators ALSO A.2 and A.5
Comment (Include rationale for comment): This topic has been raised repeatedly and closed. I suggest that the professional opinion of many participants is not being given adequate attention which can erode the value of public discussion of federal standards.
I believe the argument that sensitive access will be further protected by 2FA violates the fundamental principle of defense in depth. The existence of another control does not justify weakly implementing a control. For example, we have recently seen an example of a an attack specifically designed to subvert an SMS based 2FA solution. In that case, the attack used other means to learn the users' passwords, but this attack could well be applied to users specifically because their password had been compromised via hash cracking. Passwords must be strong as must other authenticators.
Many systems do not currently support slow hash algorithms and we must protect assets until slow hash algorithms are universal. Also, further increases in processing power and optimization of brute force methods may weaken slow hashes of short passwords. The argument that users reject and can be expected to undermine the value of longer passwords is easily refuted with training toward user-friendly passphrases.
I disagree with the recommendation of an 8 character minimum length for memorized authenticators.
Suggested Change: I propose that the minimum length for authenticators created by the user be increased to 12 characters.
Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other