In a world of ever faster computing power, the thought that passwords should become simpler appears to be going against the grain. Yet, in May of 2017, the highly regarded American agency, NIST (National Institute of Standards and Technology), ended its consultative period for a new report into password guidelines. Contained within were some surprises about what we have come to believe about the security of complex passwords.
Although an American agency, NIST is highly regarded internationally as a leading purveyor of recommendation in many aspects of IT and IT security, such as operating system configuration and hardening. For some, its guidelines have become de-facto standards of thought leadership, where similar information is lacked in home nations.
In 2016, NIST began a consultative period for its latest work in updating its password recommendations. This period, which lasted six months, aimed to gather feedback on the content of the report for final publication in later 2017. This report comes at a critical moment as 2016 saw an exponential rise in cybercrime fuelled in-part by a design to extort currency through ransom and steal credentials.
The market for fresh and active stolen credentials is lucrative due to the proliferation of password sharing, or the use of identical passwords in multiple locations. Experian, who conducted a report into password sharing, found that on average, 25-34 years olds had an account with over 40 online services. Between those services, only five unique passwords had been used, meaning each password was used at least eight times. Consequently, if one password is stolen, it could be used to access seven other services.
NIST blames poor password hygiene on the IT industries obsession with ever-increasingly complex password requirements, such as capital letters, numbers, symbols, minimum lengths and password expiration periods as low as 30-days. Something which all IT administrators would have noted over the years, is that such stringent controls encourage users to add the number one, incrementing each time it expires, or to just capitalise the first character of the password. In worst case scenarios, it can encourage users to write passwords out, thus negating the point of a password (something you know).
Converse to popular thinking, NIST now recommends removing all such requirements (dependant on threat modelling) and to instead focus on some core principles:
- Encourage passphrases instead of passwords. Passphrases are made up of a combination of words, or a sentence without spaces between the words. This makes a dictionary attack much more difficult.
- Remove the need to change passwords after an expiration. This encourages people to write down passwords as they can no longer remember them.
- Remove requirements for capitalisation, symbols or numbers.
- Remove password length requirements. Phishing, keylogging and other social engineering methods have proven just as successful against lengthy passwords as they have shorter ones.
- Check password choices against a known black list. Ensuring passwords are not names, dates of birth or other well-known attributes will slow the use of social engineering and password guessing.
- Use lock-out and re-try periods. This is an effective defence with online portals and it slows down unauthorised access attempts and frustrates attackers.
- Use multi-factor authentication. A constant changing, cryptographic password is impossible to guess and recreate. This method has been used by online banks and other organisations for the past 5 years.
Flying in the Face of it
To those who have worked in IT for years, although common sense, the reverse in advice is somewhat odd. It is conventional wisdom that the more complex the attacker, the more complex the defence. However in this case, that is not proving to hold water; instead, what we thought was providing protection was actually create a vulnerability, simply because we judged the human response to password requirements with understanding and idealism.
Our world is nothing like that, we expect to be safe and have everything easy to use. Maybe this will go some way to help.