Who’s Really to Blame for Compromised Passwords?

February 23, 2018 | Views: 1069

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

When a password is compromised and ultimately leads to a breach, whose fault is it? Most people would place the blame on the employee whose password was compromised and argue that they failed to create a strong and secure password. On the other hand, blame could be placed squarely on the shoulders of the IT administrator who failed to properly train their employees on the proper and recommended password standards.
The National Institute of Standards and Technology (NIST) has become the primary source of technology standards and frameworks. NIST has developed standards that are utilized by all industries, including the federal government. As a result, when NIST develops a new standard or updates an existing standard, technology professionals do and should take notice.
In June 2017, NIST published SP 800-63-3 Digital Identity Guidelines. This Special Publication detailed new standards for topics such as Authentication, Identity Proofing and Federations among other topics. Included in one of the three companion documents, SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, is a section detailing the requirements for “Memorized Secrets” (aka Passwords).
The following is a summary of some of the NIST requirements for Memorized Secrets:

  • Must be of sufficient complexity and secrecy to prevent the password from being compromised through guessing or brute force attacks.
  • Shall be at least 8 characters in length if chosen by the individual being authenticated.
  • NO OTHER complexity requirements should be imposed for memorized secrets, other than length.
  • Verifiers (the authenticator) should permit subscriber (the authenticated) chosen passwords at least 64 characters in length.
  • All printing ASCII characters, as well as space characters should be acceptable for use in passwords.
  • Verifiers should not require the memorized secret to be changed periodically, unless a compromise or security incident has occurred.

While we believe the minimum acceptable password length should be at least 12-16 characters, NIST has placed such an emphasis on password length, and for good reason. Consider the mathematics behind calculating the number of possible passwords given a specific ASCII character set. If an end user was creating a 16-character password with all letters both uppercase and lowercase, the total number of possible passwords would be 52 to the power of 16 = 2,857,942,574,656,970,690,381,479,936. However, consider the total number of possible passwords for an 8-character password consisting of uppercase and lowercase letters, numbers and 32 special characters. The total number of passwords would be 94 to the power of 8 = 6,095,689,385,410,816. Finally, a simple and easy to remember passphrase for any individual, such as “IlovedSummer2016morethananything!”, based on the given character set of uppercase and lowercase letters, numbers and 32 special characters, creates a number of password possibilities too long to be fully displayed on a calculator screen.
Despite the clear logic behind a focus on password length, rather than drilling the word “complexity” into everyone’s minds, administrators continue to ignore the new standards. For example, how many banking websites continue to limit the character length of your passwords? How many retail websites do the same and limit the special characters you are allowed to use to “!@#$%^”? If the administrators of secure entities such as banks, frequently used retail websites and other popular online institutions continue to ignore these new standards, how can we ever expect our end users to change?
As administrators, we should be placing a greater emphasis on proper end user education. We should educate our users on proper passphrase creation and demonstrate for them how easy it is to create a simple yet secure passphrase.
Until we begin to adopt these new standards and pass the knowledge on to our end users, we will continue to experience the headaches of brute forced passwords, compromised accounts, unauthorized information disclosures and unexpected regulatory audits and breach notifications staring us in the face.

References:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Great article and very persuasive however, there are other aspects to user training that is commonly overlooked; browsing habits and email use. In terms of cracked passwords, your article is spot on, but if a user opens PDF attachments that they received in an email, embedded with a keylogger, no password policy will prevent the breach.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel