Maybe a better question is, “Do passwords matter?” I’ve seen password requirements become more and more painful through the years at the same time that the number of security breeches has skyrocketed. The reason is that investing time in hacking into the online application database is far more rewarding than brute-force hacking a single end user’s password. In other words, all the secure passwords in the world won’t do any good when a hacker (or state-sponsored team of hackers) can simply siphon my data out the back end. Providers and online vendors should care more, and we should make them care more by refusing to purchase from them until they can guarantee security. Instead, with every breech, they send more and more ineffective and inconvenient password complexity down to end users as if we are to blame for their bad coding.
Who should we blame for this password mess? To paraphrase Walt Kelly’s paraphrasing of Oliver Hazard Perry, I have seen my enemy and his name is Bill Burr. No, not the loud, sometimes crass and always funny standup comedian, Bill Burr. I’m talking about Bill Burr, the former manager at the National Institute of Standards and Technology (NIST), who, in 2003, wrote a password primer recommending the special characters, random capitals and numbers that are in use in computer networks and website accounts today. In August of 2017, he told the Wall Street Journal, “Much of what I did I now regret.” His regret is not for the inconvenience his recommendations caused, but for the fact that passwords became weaker overall as a result of over-complicating the complexity requirements. After fighting against the grain of this bad advice for 14 years, there is much that I’d like to share about how this makes me feel, but I’m not sure that would be particularly helpful. Let’s talk instead about another bad password strategy that Mr. Burr endowed us with.
For many years, some of you have had to listen to my opinion of periodic password change policies. In the last couple of years, I’ve been able to share the science to back up that opinion. My opinion, and now the general consensus, is that periodic password changes do more harm than good. The thing I couldn’t get past is that, for the strategy to work, we would have to make sure we waited to get hacked until just prior to the end of the 90-day period (or whatever the period) or, we would have to hope that the hacker would opt not to use the password he/she just hacked until after the current 90-day period had ended. In the paper, The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, University of North Carolina at Chapel Hill researchers also found that when users were forced to periodically change their passwords, they tended to use a formulaic approach that resulted in the creation of the simplest passwords to both meet the criteria and be easy to remember. Since we all tend to think alike, this resulted in a lot of passwords that are easy to guess. “Pa$$w0rd1,” for example, is what someone might use for month one if a capital, a lower case, a number, a symbol and a minimum of 8 characters were required. In month two, he/she would choose, you guessed it, “Pa$$w0rd2.” Without the need to periodically change the password, users tend to use longer phrases which are meaningful only to themselves. The same is true if you remove the character requirements. Cartoonist, Randall Munroe, aptly stated, ““Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
So, let’s move on to what’s next, or at least what should be next. The new NIST draft guidelines seem to make a lot more sense, so let’s start with my three favorites of their recommendations:
1. Remove periodic password change requirements
2. Remove algorithmic complexity requirements
3. Require screening of new passwords against lists of commonly used or compromised passwords
The full document can be found here: https://pages.nist.gov/800-63-3/sp800-63b.html
I know from experience that many vendors, SaaS providers and system administrators are going to stubbornly hold on to the old rules, but the evidence is pretty clear. The faster we can shed the complexity, the safer we’ll be.
If you have questions about your network password strategy, please give us a call at 317-733-2388.