Who's Really to Blame for Compromised Passwords?
The National Institute of Standards and Technology (NIST) has become the primary source of technology standards and frameworks. NIST has developed standards that are utilized by all industries, including the federal government. As a result, when NIST develops a new standard or updates an existing standard, technology professionals do and should take notice.
In June 2017, NIST published SP 800-63-3 Digital Identity Guidelines. This Special Publication detailed new standards for topics such as Authentication, Identity Proofing and Federations among other topics. Included in one of the three companion documents, SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, is a section detailing the requirements for “Memorized Secrets” (aka Passwords).
The following is a summary of some of the NIST requirements for Memorized Secrets:
- Must be of sufficient complexity and secrecy to prevent the password from being compromised through guessing or brute force attacks.
- Shall be at least 8 characters in length if chosen by the individual being authenticated.
- NO OTHER complexity requirements should be imposed for memorized secrets, other than length.
- Verifiers (the authenticator) should permit subscriber (the authenticated) chosen passwords at least 64 characters in length.
- All printing ASCII characters, as well as space characters should be acceptable for use in passwords.
- Verifiers should not require the memorized secret to be changed periodically, unless a compromise or security incident has occurred.
Despite the clear logic behind a focus on password length, rather than drilling the word “complexity” into everyone’s minds, administrators continue to ignore the new standards. For example, how many banking websites continue to limit the character length of your passwords? How many retail websites do the same and limit the special characters you are allowed to use to “!@#$%^”? If the administrators of secure entities such as banks, frequently used retail websites and other popular online institutions continue to ignore these new standards, how can we ever expect our end users to change?
As administrators, we should be placing a greater emphasis on proper end user education. We should educate our users on proper passphrase creation and demonstrate for them how easy it is to create a simple yet secure passphrase.
Until we begin to adopt these new standards and pass the knowledge on to our end users, we will continue to experience the headaches of brute forced passwords, compromised accounts, unauthorized information disclosures and unexpected regulatory audits and breach notifications staring us in the face.