Endpoint

9/11/2017
11:30 AM
Jackson Shaw
Jackson Shaw
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Relaxing Our Password Policies Might Actually Bolster User Safety

Recent guidance from NIST may seem counterintuitive.

Despite the publicity about breaches, ransomware, and the like, we're still using some pretty dumb passwords. Users typically aim for passwords that are easy to remember for their multiple logins, which they are asked to change frequently. Unfortunately, this has led to too many passwords that are far too easy to hack, causing one of security's biggest headaches.

SplashData posted its sixth annual most common passwords list in February, based on data taken from 5 million leaked emails over the year. Not surprisingly, variations of "password" and "123456" were ranked the top two most commonly used. Other highly used passwords include these:

  • football
  • princess
  • welcome
  • hottie
  • admin

The US National Institute for Standards and Technology (NIST) faced the problem head on in its recent recommendations, Special Publication 800-63-3: Digital Authentication Guidelines, released in June. Looking among many of NIST's recommendations, you'll spot a theme to relax on some policies — yes, relax, despite breaches being on the rise. I've highlighted a few of NIST's recommendations below, and provided my perspective as an identity and access management expert.

Remove Periodic Password Change Requirements
NIST specifically recommends having users create new passwords when they request to do so, or if there is evidence of a compromise. Say what?!

Yes, NIST believes that periodic password changes don't really prevent breaches. However, it also says that passwords should be at least eight characters in length. Ideally, they will be checked against passwords obtained from previous breaches, dictionary words, repetitive or sequential characters (for example, "aaaaaa" and "1234abcd"), and context-specific words, such as the name of the service, the username, and derivatives thereof.

I agree with NIST's recommendation here. Specifically, if an end user creates a sufficiently strong password, then why would you make him or her change it frequently? In fact, periodic password changes likely result in less-secure passwords, as frustrated users decide to opt for easy (and insecure) ones, reasoning that they'll have to change them sooner or later. The key here is to keep the password complex, otherwise we risk having insecure passwords for long periods of the time.

Usability Is Important
NIST points out that usability of authentication systems is paramount. If authentication methods aren't easy for end users, then they will work around complexity by writing down passwords and doing things like replacing vowels with numbers (such as "passw0rd" instead of "password"). Hackers have definitely figured this out already. Password policies and strategies have all been geared toward making passwords too complex to remember, and that has resulted in end users working around the complexity, in turn making passwords more insecure.

An executive once told me how he walked around at night flipping over keyboards and finding passwords written on sticky notes. And while old fashioned sticky notes may escape hackers' best efforts, digital documents can't.

Check Passwords Against a Dictionary of Compromised Password
Hackers typically will perform dictionary attacks against a target. They'll run through a list of passwords to see which one works. So one additional recommendation is to check a changed password against a database of known, compromised passwords. If the password has been compromised previously (such as "12345" or "StarWars") you can guess the hackers have that in their dictionary.

Personally, I think checking passwords against a dictionary of compromised passwords is the best practice to take to ensure that you're avoid using one that is commonly hacked.

Knowledge-Based Authentication Is Out
NIST recommends that knowledge-based authentication (KBA) be discontinued: "Memorized secret verifiers SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., "What was the name of your first pet?") when choosing memorized secrets."

I agree with this guidance as well. With the availability of Facebook and LinkedIn, it is increasingly easy for the bad guys to troll around for answers to things like "What high school did you go to?" or "What city did you meet your spouse in?" (This is especially true for celebrities, who must contend with the fact that all this information is publicly available, making them ridiculously easy to hack.) Questions such as "What's your mother's maiden name?" are also well out of favor now for the same reasons.

I strongly recommend that anyone who has KBA-type questions associated with a system go take a second look at those Q&As to ensure that 1) the questions cannot be answered by looking at your Facebook or LinkedIn profile, and 2) that you update your questions per my previous point and ensure that your answers are still accurate.

Passwords and Beyond
The upshot of this is that in its new guidelines related to authentication and authenticators, NIST has prioritized usability over complexity. NIST is putting the onus on the manufacturers of these systems to do a better job rather than putting it on the end user to remember complex password policies, which inevitably results in passwords being written down or stored in a Word document or Excel spreadsheet — like the infamous Sony breach, during which hackers simply searched through documents with "password" in their titles before stumbling on hundreds of valuable credentials.

Beyond changing these simple password policies, the right strategy when it comes to user authentication is one that is both adaptive and multifactor — one that accounts for human blunders and sophisticated hacks.

I'm looking forward to less rigor related to how often I have to change my password. IT, are you reading this?

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jackson Shaw is senior director of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ScottyTheMenace
50%
50%
ScottyTheMenace,
User Rank: Apprentice
9/11/2017 | 5:40:16 PM
Excellent advice all around - here's a trick I use for KBA
Thanks for this great article. I'm glad NIST is leading the way on this.

My biggest complaint about well-meaning security policies is exactly what you're saying here: they're so damn complex and annoying that they actually encourage bad password practices. Stop the madness!

One trick I use (besides a password manager) is regarding KBA. As you say, most of the answers to security questions can be found on social media or simple web searches. My solution? Fake it. I created a fictional "life" and use that information. You only needed a few pieces of information (stored securely in an encrypted password manager lest you forget): male & female name (for any person variant), car model, two wild cards (one for city/school/street and one for school mascot/pet/etc.), and perhaps one random word for more obscure questions. Make them memorable but wholly unrelated to your life and I think it's a pretty secure alternative if you need to create these security questions. If you use a password manager you could even go a step further and use unique fake answers for each account. You might get a free tin foil hat for doing that. :)

Hopefully MFA will become ubiquitous very soon and make even this little trick obsolete.
galoot
50%
50%
galoot,
User Rank: Apprentice
9/12/2017 | 3:17:03 AM
The UK Government recommended similar policies in January 2016
The UK goverment recommendations for passwords https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach have a lot of similarities to those in this article. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/12/2017 | 11:00:08 AM
My password advice
Hard to figure out - easy to remember, right?  So "erwnhgkjnwkj21" is not a good choice.  People have one universal weird interest -  HOBBIES - things we like and enjoy that we NEVER FORGET as individuals.  So I urge my password recommendation to be a combination of 2 hobby terms and a weird character between them.  Almost impossible to hack and easy for the user to remember.  Easy to sequence too. 
ScottyTheMenace
50%
50%
ScottyTheMenace,
User Rank: Apprentice
9/12/2017 | 2:48:33 PM
Re: My password advice
The problem with using hobbies is the same problem with using any other personal information: it's not at all hard to figure out for most people and actually as easy to hack as any of the standard security questions. Hobbies are one of the things people share most on social, especially on sites like Pinterest and Instagram that are practically custom built for sharing hobbies. Any bad actor targeting someone can scan someone's social feed for hobbies, and they'd also be included in any breach dumps for purchase on the black market.

The most secure passwords have no connection to our personal lives.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/12/2017 | 3:23:32 PM
Re: My password advice
True to the extent that hobby interests are revealed on social media.  Still a better choice and if i could mentally manage a random password generator (they exist) === great.  I suppose a good code to use would be an MD5 HASH of a file!!!!!  Let somebody try to crack that one AS LONG AS THE FILE ITSELF is not advertised. 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/13/2017 | 3:29:36 PM
Equifax Website in Argentina
Was held secure by the totally unique and innovative user-password combo of " admin \ admin " !!!!
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
9/26/2017 | 2:56:05 PM
Great Article, passed this one to Security
They want to lock down everything and lock it down with the multifactor authentication.  Easier passwords would be better and probably more security with this approach.  I don't use anything resembling my life, just passing obscure merchandise sitting on my desk.  Those come and go more frequently that the password change.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/26/2017 | 3:47:16 PM
Re: Great Article, passed this one to Security
Like it or not, 2 factor authentication is the future and it should be used NOW!!!
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.