Are regulations preventing good password policies?
31 May 2018 | 0
One rarely goes to a conference where one doesn’t hear someone doling out “good” password policy advice, along the lines of:
- Eight to 12 characters long as a minimum; extremely long passphrases are better
- Must be complex and include at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols)
- Change every 90 days or fewer
- Enable account lockouts for bad passwords, five bad attempts or fewer
One hears world-renowned computer security experts, CEOs and security consultants giving this advice all the time.
Except that it is wrong. It is old advice. It was never “good” password policy. Looking at the data, people and companies that follow this advice are likely increasing their computer security risk, not lessening it. Unfortunately, the desire to stay in compliance with outdated regulatory requirements means that most companies and individuals will be compelled to follow this old, outdated and wrong advice for years to come. It is a sad state of affairs.
What is today’s good password policy advice?
Starting a decade ago or so, a few computer security scientists decided to look at the data to see if the traditional password security advice that had been recommended for decades was actually effective. Microsoft Principal Researcher Dr Cormac Herley has probably written more about how bad the old password policy advice is than anyone else. He is not a fan of much of today’s long-held, but untested computer security advice. As he said in the 2017 book, “Hacking the Hacker”:
“You might have a model of how you think 2 billion users will behave, but 2 billion users will respond the way they are going to respond regardless of your model. You can hope that it happens the same way, but you have to measure what happens to see if there is any resemblance to what you said would happened in your model. And if your model is wrong, change it.”
Dr Herley looked at the data, and tested how well the traditional advice stacked up in today’s hacker world. His conclusion, along with many others, was that the traditional advice was bad advice, and they used data and how today’s hackers hack to come up with better password policy advice. The culmination of these password experts’ work was updated password policy guidance from the US National Institute of Standards and Technology (NIST). NIST sets the computer security standards for the US government and military computers, and by doing so, set the standards for most of the world’s computers.
NIST issued its updated password policy advice in the form of “Digital Identity Guidelines”, the most important of which is NIST Special Publication 800-63-3, released in final form in June 2017. In the related guideline documents, NIST essentially says that you should be using multifactor authentication (MFA) instead of passwords, but if you are going to be using single-factor authentication passwords, here are the new, better recommendations:
- Enable two-factor authentication (2FA) where you can. Passwords are great, but 2FA is better
- A password should be eight characters or longer, but it does not have to be super long
- Character complexity is no longer a requirement, but does not hurt
- Should not contain common or easy-to-guess passwords (like your name or password123)
- There is no need to change your password unless you think it has been compromised
- Never re-use the same password on other sites
- Developers, consider using dynamic authentication, where changes in user behaviour, location, or devices initiates additional authentication checks
That is it. That is the new advice! It is revolutionary in most circles. Passwords do not have to be long or complex, and almost never to be changed. This goes against what we have all been taught for a long time. Again, I still hear the old advice at computer security conferences. I hear it from people on panels sitting beside me. I want to correct everyone, publicly, but that is hard to do without insulting your friends, co-workers, and leaders. It is not their fault. They just do not know.
Lately, I have taken to speaking up about it. I try to do it as politely as I can, trying not to shame the other person for not knowing. Although you would be surprised by how many people actually know about newer password policy guidelines, but simply cannot believe them and keep repeating the older advice. Habits can be hard to break.
Is compliance hurting?
Worse yet, even though the new password policy guidelines have been the “rule of the land” for a year now, I do not know of a single legislatively required regulatory guideline (e.g., HIPAA, SOX, or PCI-DSS) that does not still require the old password policies. I do not know of a single auditing regime or program that does not require, often by law, the older, worse, password guidelines.
Administrators and users are stuck in a hard place. Follow the old policies and your company is more at risk for successful malicious hacking. Follow the new advice and fail an audit, and have everyone in your company above you yell at you.
I want to tell you to talk to your auditors and management and send them NIST’s newer password guidelines, but the truth is that they are not really going to care. All they are going to care about is whether you help get a “check mark” of success on a compliance audit. If you try to implement the new password policies, you are likely to be going it alone, against a hurricane of criticism and complaints. If you cause an audit exception or lack of compliance finding, you could be disciplined or fired. The best or the smartest among us basically have to accept that they will be knowing, but silent.
When will regulations change?
If you want to do something, write the bodies in charge of the legal regulations that control your industry. Educate them and ask them when they plan to update their required guidelines. Do the same to your internal and external auditing teams, and to IT management. Now is the time — it has been a year — to start asking for the outdated password policy guidelines to be updated.
All auditing and regulatory bodies need to ask themselves if they are responsive enough to cybersecurity guidelines changes. Do they have policies and procedures, easy to find and follow, for members to initiate changes? Hackers and malware can change in seconds. How long do we have to wait until our controlling regulations and laws get updated after we find better advice?
If we do not make our audit and regulatory bodies more responsive, are not we always going to have compliance eroding our security in one way or another?
This is a call to arms. Go fight the good fight!
Roger A Grimes is an author and CSO columnist, and holder of more than 40 certifications
IDG News Service