Ready to Start Your Career?

Who's Really to Blame for Compromised Passwords?

sf_dod 's profile image

By: sf_dod

February 23, 2018

When a password is compromised and ultimately leads to a breach, whose fault is it? Most people would place the blame on the employee whose password was compromised and argue that they failed to create a strong and secure password. On the other hand, blame could be placed squarely on the shoulders of the IT administrator who failed to properly train their employees on the proper and recommended password standards.
The National Institute of Standards and Technology (NIST) has become the primary source of technology standards and frameworks. NIST has developed standards that are utilized by all industries, including the federal government. As a result, when NIST develops a new standard or updates an existing standard, technology professionals do and should take notice.
In June 2017, NIST published SP 800-63-3 Digital Identity Guidelines. This Special Publication detailed new standards for topics such as Authentication, Identity Proofing and Federations among other topics. Included in one of the three companion documents, SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, is a section detailing the requirements for “Memorized Secrets” (aka Passwords).
The following is a summary of some of the NIST requirements for Memorized Secrets:
  • Must be of sufficient complexity and secrecy to prevent the password from being compromised through guessing or brute force attacks.
  • Shall be at least 8 characters in length if chosen by the individual being authenticated.
  • NO OTHER complexity requirements should be imposed for memorized secrets, other than length.
  • Verifiers (the authenticator) should permit subscriber (the authenticated) chosen passwords at least 64 characters in length.
  • All printing ASCII characters, as well as space characters should be acceptable for use in passwords.
  • Verifiers should not require the memorized secret to be changed periodically, unless a compromise or security incident has occurred.
While we believe the minimum acceptable password length should be at least 12-16 characters, NIST has placed such an emphasis on password length, and for good reason. Consider the mathematics behind calculating the number of possible passwords given a specific ASCII character set. If an end user was creating a 16-character password with all letters both uppercase and lowercase, the total number of possible passwords would be 52 to the power of 16 = 2,857,942,574,656,970,690,381,479,936. However, consider the total number of possible passwords for an 8-character password consisting of uppercase and lowercase letters, numbers and 32 special characters. The total number of passwords would be 94 to the power of 8 = 6,095,689,385,410,816. Finally, a simple and easy to remember passphrase for any individual, such as “IlovedSummer2016morethananything!”, based on the given character set of uppercase and lowercase letters, numbers and 32 special characters, creates a number of password possibilities too long to be fully displayed on a calculator screen.
Despite the clear logic behind a focus on password length, rather than drilling the word “complexity” into everyone’s minds, administrators continue to ignore the new standards. For example, how many banking websites continue to limit the character length of your passwords? How many retail websites do the same and limit the special characters you are allowed to use to “!@#$%^”? If the administrators of secure entities such as banks, frequently used retail websites and other popular online institutions continue to ignore these new standards, how can we ever expect our end users to change?
As administrators, we should be placing a greater emphasis on proper end user education. We should educate our users on proper passphrase creation and demonstrate for them how easy it is to create a simple yet secure passphrase.
Until we begin to adopt these new standards and pass the knowledge on to our end users, we will continue to experience the headaches of brute forced passwords, compromised accounts, unauthorized information disclosures and unexpected regulatory audits and breach notifications staring us in the face.

Schedule Demo