Safetrust recommends that customers implement strong user authentication for their Credential Manager accounts. Safetrust’s Credential Manager allows customers to specify the level of authentication that they wish to apply to their organization account on the service. While the configuration options range from SAML and OpenID to strong password policies, the basic authentication method of plain old password is available for customers who are evaluating the service.
Safetrust is currently in the process of auditing its systems and processes to achieve NIST 800-171 certification. The National Institute of Standards and Technology make a number of password policy recommendations that Safetrust enforces when users create their initial evaluation account. We assume that organizations will strengthen these for their own organization once they complete their evaluation.
The basic NIST recommendations are:
· Passwords should not be too short
· Passwords should not common passwords or easily guessable passwords
· Passwords should not be common words
· Passwords should not be your name
· Passwords should not be repetitive.
NIST makes available a file of passwords that they consider are the most obvious examples of these recommendations, or are passwords that have been used in common basic hacking exercises. Safetrust uses this list to validate that passwords comply to this minimum standard in order to maintain basic authentication compliance with the NIST standard.
Given that the strength of the authentication policy ensures security over the individual accounts that have rights to access your buildings or network, Safetrust strongly recommends that organizations configure appropriately strong account password policies when they create their production Credential Manager identity systems.