Fix Enforced Password (in)security!
There are some things in life that kinda annoy you, and you want to do something about them. But they seem too big. Too hard. Someone else's responsibility. Which just means you are not confident to try, and sometimes if you try hard, you can make things happen.
Even big things, like getting the more than one defence force to adopt a peacekeeping project in a foreign country, that you decided was a a good idea to help the mission... Even if you nearly get court marshalled for pushing it, as sometimes you might also get an official commendation for it. Or you may decide the traffic is going the wrong way, and lobby the council to change the direction of traffic flow despite naysayers telling you it's impossible. Or lobbying the UK government to implement a new funding scheme to specifically include school scheduling.
So far I've managed to have good success in pushing some of these impossible projects, and it wasn't easy. But there are always more to work on. Here's one that needs some attention. Will you help? FYI National Password day is May 6.
TLDR: UK & USA Governments, Security Researchers and even Microsoft agree the old password policy sucked. Australia hasn't quite got the memo, and nor have a lot of companies. Password forced symbols, and forced expiry is all BAD!
Password Security
We all know what this means I presume. That a good password has a lot of different special symbols, upper and lower case letters, numbers... and especially that it should be regularly changed or enforced to be changed by your IT department. This helps keep it secure in case it was compromised. Also, we should record the answers to some knowledge questions like First car and name of first pet, so these can be used to verify us if we forget our password.
Except not. The above is ALL the complete opposite of what correct password security is about.
Governments around the world put significant resources to running security research in defence and intelligence, as well as being a major provider of security advice to business.
It will probably come as some surprise that some of the largest countries governments agree on some core aspects of password security. That we should
- NOT enforce special characters, and should
- NOT force users to regularly change their passwords
- NOT use knowledge questions for password resets
Wikipedia has the right idea, saying that complexity rules and forced password resets just make systems less secure, due to the human element.
https://en.wikipedia.org/wiki/Password#Choosing_a_secure_and_memorable_password
The obvious outcome of the move to (more secure and more memorable) passphrases over the old passwords, is that we gain entropy from LENGTH, not from special characters. The old special characters shenanigans may have made sense in 1985 when some systems limited passwords to a certain low number of characters. But now, this is not the case today. So we don't need to ENFORCE special characters anymore... ever... (unless you want them).
Fun fact: I wrote a government accredited textbook for the investigation industry, which extensively covers the use of social engineering to get information out of people, and a long history of consulting in the security industry. I was also previously on the IT security committee at my former company Edval. I lobbied hard to have the company update to the more secure and importantly current password standards on complexity and periodic forced changes.
However I was unable to get support to change, or even debate as to why we would continue enforcing standards that are directly opposite to what the governments and industry largely say on the matter.
You'd think when the author of the password complexity rules himself Mr Bill Burr apologizes for them and says they make security worse it would convey some weight... But no! My old company is unfortunately just like thousands of others who can't seem to engage in debate over what SEEMS to be making passwords less secure.
Aren't passwords MEANT to be so hard to remember? Isn't it this what makes them secure from hackers? Oh dear... lol.
Founder of Password Complexity Says SORRY!
The 'rules' for password security were invented by Bill Burr from NIST in 2003, though he relied on a 1980's research, where online security was very different.
Multiple news articles where the author of password complexity rules recants, saying "(my) previous advice of creating passwords with special characters, mixed-case letters and numbers won't deter hackers" he told The Wall Street Journal. “Much of what I did I now regret,” he said on password complexity rules.
The interview resulted in a very large number of news articles around the world. It was big news, but sadly, despite this press, and updated guidelines, it still hasn't been fixed in many systems to comply with the updated guidelines (including it seems Australia)
https://www.engadget.com/2017-08-08-nist-new-password-guidelines.htm
https://www.bbc.co.uk/news/technology-40875534
https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
The advice about frequently changing a password has been criticized since the report. A 2010 study by the University of North Carolina at Chapel Hill showed that updating passwords often can actually help hackers identify a pattern. Another study from Carleton University said frequent changes are more inconvenient than helpful.
Following is material from different government entities about their password policies.
After getting frustrated by the illogical policies once too often, I felt I needed to get it out.. and hopefully provide a resource to help improve password security by showing that the new advice is there, is well researched, and is clear. Now we just need to change systems to follow this advice. Not as easy as it sounds!
So if you are a security manager, IT staff or want to share the pain of bad password policies, then freel free to read on. Else.. well, it might be a little dry... in which case skim to the image at the base of the article. Which pretty much says it all. So funny. So true!
USA Government: National Institute of Standards and Technology (NIST)
This USA department is part of the Department for Commerce, and includes a significant Computer Security department. They have published a very lengthy, highly detailed, well researched publication, with input from multiple authors and stakeholders, covering Digital Identity Guidelines. One may say it's a pretty good resource and certainly government requirements and guidance on various aspects of password management.
They specifically cover password complexity requirements here: https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity
5.1.1.2 Memorized Secret Verifiers
Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
And for Knowledge based verification, it is NOT approved for password resets, and says for example:
KBV cannot be used to satisfy verification requirements
i. The CSP SHALL NOT use KBV questions for which the answers do not change (e.g., "What was your first car?").
Experienced security leaders in private industry are of course supportive of the NIST guidance.
https://www.dhirubhai.net/pulse/password-sanity-thank-you-nist-philip-cox
Incredible that so many companies and government departments are continuing to retain extremely outdated security policies that not just make life online harder, but according to the evidence and NIST government guidelines, these old policies actually significantly reduce online security. However, it takes a brave IT manager to implement the new improved security policies. Why? Because it 'Feels' less secure. It's not what so many other companies and departments are doing. Who dares removing that decades old, comforting feeling of high security that comes from password complexity rules that are so complex, you struggle to remember your own passwords. Which is kinda the point. This is exactly why these rules REDUCE password security, and increase vulnerability in organisations that are afraid to change with the times. We rush to implement new security patches, yet we are reluctant to rush new security policies that depart so much from what 'we are used to'.
People... let's BE BRAVE. Follow the damn government guidelines, and stop being precious and uncertain. Doing so will:
- Reduce your organisations significant support effort to manage user password resets
- Reduce user friction and speed interactions with your site, plus make users happier
- Reduce sign up failures do to 'Too hard to sign up due to failing password complexity' (Yes, it's a thing)
- Increase security in access to your systems
- Reduce your legal liability. If any major compromise occurred due to passwords being written down etc, users would have recourse in court now, to show that your failures in adopting the current password standards as advised by government, for many years now, was a significant factor in the problem which occurred. This may result in adverse publicity costing far more in loss of consumer confidence, than the impact of having to compensate a user for actions that resulted from password misuse.
- Show your organisation as a leader, unafraid to do the right thing, and not being asleep at the wheel, or afraid of adopting things that may be seen as 'reducing security' for those who have not done the extensive research.
Password complexity with enforced complex password symbols, periodic forced password changes and knowledge based verification are all the WRONG way, and the INSECURE way. Actively promote password managers, and the use of multi word phrases that are easy to remember, but very hard to guess.
Because Entropy and also Human behaviour are curious things!
USA Federal Trade Commission
The USA Federal Trade Commission reports on Forced Password Changes.
Basically Saying DON'T!
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
And
UK Government - Cyber Security
The Director General for Cyber Security, Government Communications Headquarters (GCHQ ) states this official advice on password complexity and expiry:
Password Complexity
Password guidance - including previous CESG guidance - has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’. Worse still, the rules - even if followed - don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.
“By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”
Forced Password Changes
Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.
Changing passwords Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.
Password Strength Meters.
Password strength meters aim to help users assess the strength of their self-generated passwords. They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information)
Be aware of the limitations of password strength meters.
Password Managers
Password management software can help users by generating, storing and even inputting passwords when required. (Why don't we regularly encourage this in systems!)
UK National Cyber Security Centre
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
Password Complexity
Do not use complexity requirements. Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Additionally, complexity requirements provide no defence against common attack types such as social engineering or insecure storage of passwords.
For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords.
Password Expiry
Don't enforce regular password expiry. Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.
Forcing password expiry carries no real benefits because the user is likely to choose new passwords that are only minor variations of the old
Microsoft Windows - Password Security
In a security update, Microsoft removed password expiry, stating official advice that:
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.
When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.
Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
--------------------------------------------------------
Which states:
- Eliminate character-composition requirements.
- 3. Eliminate mandatory periodic password resets for user accounts.
--------------------------------------------------------
Other academic research supports this:
https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
FAILS! Organisations Who Didn't Get The Memo
Australian Securities and Investments Commission (ASIC)
https://regulatoryportal.asic.gov.au/password-management/
Provides security advice on passwords which significantly conflicts with advice from many other sources, suggesting the (old/debunked by research) advice of:
- Uses a combination of lowercase and uppercase letters, numbers, and special characters
- Changing your password periodically is a good way to protect your online account. As a guide you should change your password between 1 and 4 times a year.
This ASIC site also states: For more information on creating and managing password and online safety, please visit the Australian Governments Stay Smart Online website. Except this site link is old, and doesn't take you to the correct content anymore.
Queensland Government (Australia)
The QLD Tender site has archaic password complexity rules that are so obtuse, even the instructions on password complexity don't cover all the rules. Having the same character three times within the password - perhaps not consecutively, is this outside the guidelines?
Sadly the QLD Government Tender site is not adopting best practice security guidelines. This is one example of many thousands of course, but the screenshot shows a problem we are all too familiar with. The fear in what may seem as watering down security is actually following extensively researched guidelines.
How would one know not to use three of the same letters anywhere in your password, because it's not in the rules, and besides, does it really matter anyway? FRICTION!!!
Australian Cyber Security Centre
https://www.cyber.gov.au/acsc/view-all-content/guidance/authentication-hardening
Sadly, this respected body has not updated their archaic password policies following the research, and the advice from their Five Eyes colleagues in UK and USA, the advice from Microsoft and other security researchers. They are STILL providing the old advice, which was introduced when NIST released their guidance, since retracted by the author with a sorry!
They state that:
Passwords/passphrases are changed if they have not been changed in the past 12 months.
Passwords should be a: Minimum of 15 alphabetic characters; or a minimum of 11 characters consisting of at least three of the following character sets: lowercase alphabetic characters (a-z), uppercase alphabetic characters (A-Z), numeric characters (0-9), special characters.
---------------------------------------------------
https://www.cyber.gov.au/acsc/view-all-content/publications/creating-strong-passphrases
They do promote passphrases,
Passwords are passé - passphrases are longer and stronger
Passwords are passé. It’s time to use passphrases instead.
Sadly though, despite correctly referring to passwords as passé they then still refer to using complex symbols , which is not the point of passphrases. It's as if someone left the old material in when they transitioned to advising from using complex passwords (with symbols), to passphrases (that replace symbols with length, and aid memorability).
They write:
Complexity is defined as using a combination of different character sets: capital letters, lowercase letters, numbers and special characters. Combining character sets can make a passphrase more difficult to guess and increases the time it takes to be cracked. For example, ‘red House #sky train’, ‘Sleep free hard idea!’ or ‘crystal onion clay @Pretzel‘.
---------------------------------------------------
https://www.cyber.gov.au/acsc/view-all-content/news/get-smarter-passwords
Even their own site has bad links. Try to look up this link, then click the link under heading 'As an Individual... Use strong passwords. You will find the link goes to a weird page.
Randall Munroe from https://xkcd.com/936 nails it, with his globally recognised cartoon on the matter:
