The Password is Dead; Long Live the Password
Thursday, April 6, 2017
The Ongoing Battle
One morning, your computer screen greets you with the dreaded “your password will expire soon, please change it” notification as you enter your credentials. A battle ensues to conjure up a new password in an attempt to meet password length and complexity requirements… without creating a password that can be easily guessed, reused, or is already used elsewhere. Passwords that are easy to remember, such as Spring17, or a favorite sports team, may meet certain length requirements but are often the go-to words an attacker will try first during any attempt aimed at compromising your online presence. Changing passwords seems like a fight that is destined to repeat itself every couple of months for all eternity. Or is it?
Passwords are an important layer of security designed to protect your digital identity both in a professional and personal world. When combined with a username, a password uniquely identifies “you” and has been the most used mechanism for authenticating to networks, applications, and devices. Passwords have grown in both length and complexity since first being implemented. Advances in computing technology allow passwords previously thought to be complex to be broken within a shorter timeframe. To counter the onslaught of computing power available to attackers, we must discuss the evolution of the password as a reliable authentication method, and what we can do to reduce the risk of unauthorized access to our systems.
The Current State of Passwords
Generally accepted password standards today include:
- Be unique from other business or non-business accounts
- Consist of at least eight (8) characters
- Be composed of each of the following:
- Lower case letters
- Upper case letters
- Special characters
- Avoid using the following:
- Common dictionary words
- Repeating characters
- User information (i.e.: username, first name, last name, phone number, family, towns, state, or institution name)
The Next Evolution of Passwords
In the fall of 2016, the National Institute of Standards and Technology (NIST) released a draft of Special Publication 800-63B – Digital Identity Guidelines, which was designed to provide increased authentication security from today's advanced password-cracking attacks. Key messages from this publication include:
- Organizations should set a minimum eight (8) character password standard, with scaling based on account sensitivity.
- A fourteen (14) character password would provide significantly more protection against password cracking tools.
- Organizations should allow a maximum password length of 64 characters with no restrictions on length over eight (8) characters.
- Applications must allow all ASCII characters, including the space character.
- Regular checks should be run against new/existing passwords and should include scanning passwords against dictionary words, passwords obtained from previous breaches, repetitive or sequential characters, and context specific words.
- Organizations should incorporate Multi-Factor Authentication where possible, especially for VPN or remote access connectivity.
NIST 800-63B also defines items to be avoided, including:
- These new password standards place less emphasis on composition rules than prior guidance. NIST 800-63B suggests removing complexity constraints for increased-length passwords. Once passwords hit the 14-character mark, entropy is so great that complexity doesn’t have the same effect as on eight (8) character passwords. Complexity still helps, though.
- Do not utilize password hints.
- Remove Knowledge-Based Authentication. Examples include – What was your high school?
- Passwords with increased length (14 characters) should only be required to change if there is evidence of compromise or the user requests the change.
- The longer the password, the less frequent a user should have to change the password, and vice versa.
Microsoft, the Center for Internet Security, and other organizations provide additional guidelines stressing the importance of both length and complexity. Both are needed to ensure the most sufficient protection available. Password lengths of fourteen (14) characters or more with additional complexity requirements can be maintained and managed through passphrases and password managers.
Passphrases are an excellent way to fulfill both the length and complexity requirements to decrease the probability that a password can be compromised. Passphrases get their strength from creating a lengthy word that does not appear in any dictionary and substituting complex characters. For example; April showers could be combined into something like @prilShow3rs!!. Each passphrase should be unique to the system or application.
A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords with strong encryption protocols, requiring the user to create a master password: a single, ideally very strong password which allows the user to access their password database. Some password managers store passwords on the user's computer (offline password managers); others store data in the provider's cloud (online password managers). Password managers frequently provide features such as form-fill and password generation. Examples include LastPass, KeyPass, and Norton Vault.
Steps to Victory
When it comes to security, a proactive approach is often rewarded. Attackers are focusing on the human aspect of security, including passwords, to circumvent other more complex security controls. The future will provide new and improved methodologies that will be adopted into our cyber lives. Financial Institutions and businesses can look toward standard organizations such as NIST and the Center for Information Security to provide guidance on future changes. In the meantime, implementing stronger security methodologies such as password best practices, multi-factor authentication, passphrases, and password managers will add additional layers of security that attackers can only combat by spending more time and resources to crack passwords and access your secure systems or devices.
If you are looking for some additional details about passwords or password management, the SBS Institute has developed a role-based, financial institution-specific certification program devoted to building a better Information Security Program called the Certified Banking Security Manager (CBSM).
Written by: Eric Chase
Information Security Consultant- SBS CyberSecurity
Categories: SBS Blog