- Security TWENTY
- Women in Security
The Dumbest Passwords People Still Use: that’s the title of an article that ZDNet recently published. Despite all of the publicity about breaches, ransomware and the like we are still using some pretty dumb passwords, writes Jackson Shaw – EMEA Director at One Identity, an IT access management and ‘Identity as a Service’ product company.
A few examples from the article – which I highly recommend you read – are below:
In total, the article lists 21 dumb passwords. Interesting to me that there’s a preponderance of “heroes” in the list – including my favorite: MyMomIs#1. Folks are still using 12345, too! Not only does this article come after so much bad press about cyber-attacks but it also follows the United States National Institute for Standards and Technology (NIST) recent recommendations: Special Publication 800-63-3: Digital Authentication Guidelines. Among many of the NIST recommendations, there are recommendations to relax – yes, you read that right – relax password policies. I’ve highlighted a few of the recommendations below:
Remove periodic password change requirements
NIST specifically calls out not requiring that memorized secrets (passwords) be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. Say what?! Yes, the NIST believes that periodic password changes do not really prevent breaches. Specifically, if an end-user creates a sufficiently strong password, then why would you make them change it frequently? NIST does believe that a password should be at least eight characters in length, but they should also be checked against passwords obtained from previous breaches, dictionary words, repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) and context-specific words, such as the name of the service, the user name, and derivatives thereof.
NIST makes a point that usability of authentication systems is paramount. If authentication methods aren’t easy for end-users then the end-user will work around complexity by writing down passwords, doing things like replace vowels with numbers like passw0rd instead of password – and hackers have not figured that trick out! So from that perspective I really do agree with NIST. Our password policies and strategies have all been geared towards making passwords more complex to remember and it has resulted in end-users working around that complexity. NIST applies the same usability to other types of authenticators like hard tokens or software-based tokens. I am sure that most end-users would be happy with better usability when it comes to authentication. I know I am.
Check passwords against a dictionary of compromised passwords
Hackers will typically perform dictionary attacks against a target. They’ll simply run through a list of passwords to see which one might work. One additional step would be for a changed password to be checked against a database of known, compromised passwords. If the password has been compromised previously – like 12345 or StarWars – it’s a sure bet that hackers have it in their dictionary.
NIST is recommending that knowledge-based authentication be discontinued: “Memorized secret verifiers SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.” I don’t disagree with this guidance either. With Facebook and LinkedIn it is increasingly easy for the bad guys to troll around for answers to things like “What high school did you go to” or “What city did you meet your spouse in”.
So, the upshot of this is that the NIST has come out with new guidelines related to authentication and authenticators. They’ve prioritized ease-of-use and usability over complexity. NIST is putting the onus on the manufacturers of these systems to do a better job rather than putting the onus on the end-user to remembering complex password policies that inevitably result in passwords being written down or stored in a Word document or Excel spreadsheet. The right strategy is one that is both adaptive and multi-factor. ‘Adaptive’ to the risk or threat of the moment so when an IT environment changes – just as when you’re visiting a new country for the first time, you get asked to prove who you are in a more rigorous fashion – access can be permitted with some degree of diligence. ‘Multi-factor’ so that authentication isn’t achieved simply via a password, but incorporates other factors like biometrics or a mobile phone.
I am looking forward to less rigor related to how often I have to change my password. IT, are you reading this??