What is Happening?
Technology media last week was full of commentary regarding passwords, including how everything that most users have learned about passwords, and too much of what the typical enterprise IT department is doing for passwords, is wrong. As carried in a report at The Verge and originally reported at The Wall Street Journal, the person who wrote the “book” that defined password usage for a generation from National Institutes of Standards and Technology (NIST) now says that the guidance is wrong. According to recent interviews with Bill Burr, the advice he provided in NIST Special Publication 800-63, Appendix A (circa 2006) “was probably too complicated for a lot of folks to understand very well, and the truth is, we were barking up the wrong tree;” and goes on to say “much of what I did I now regret.”
Why is it Happening?
Today, the typical policy for password usage and management – resulting from the original NIST guidance – includes passwords must be at least eight characters in length, and password should be changed once every 90 days. After the common – but not universal – uses of eight-character length passwords, some firms require the use of upper-case characters in addition to lower case. Other enterprises may require a number be used in addition to lower and upper-case characters. Other businesses require the use of upper-case, lower case, and numbers in passwords. And, still more enterprises require the use of upper-case, lower-case, a number or two, and some quantity of special symbol characters such as * % # & ! among others. The problem is that people cannot – and do not – remember the multiple rules across all sites they must register with, and then deal with repeated and regular “you must change your password” demands for their various logins / accounts.
The result tends to be “gaming the system” by reusing the same password – or as nearly as close as possible to the same password – across all logins, accounts and sites: destroying the very idea of a unique password. Once a password has been discovered on one site / login, too often it is the same password that will unlock everything across other sites / login accounts, including but not limited to bank accounts, drug re-order and replenishment accounts, brokerage accounts, industrial computer system accounts, retail point of sale accounts, and on and on. Moreover, while some accounts deliver limited capabilities to navigate laterally across networks, it is compromised administrative accounts that suffer from the same password-itis with more dire consequences for organizations.
All of this is what Bill Burr referred to when he said, “much of what I did I now regret.”
New NIST 800-63 A guidelines (circa 2017) have done away with much of what Bill Burr advised. In fact, what had been been a booklet is now a four-volume suite titled, “SP 800-63 Digital Identity Guidelines.” What is still needed by enterprises and providers (and an area where ISG helps more clients than ever) is evolved practical guidance and advice about effective methods of using passwords as a line of defense for the modern digital business.
For example, a mashed together stream of 14 character of upper and lower-case characters – such as “CarlostgoatBoy” – would take supercomputers or command and control servers about 683 years to crack, and upwards of 9 billion years for today’s amateurs using a simple stand-alone PC to crack. Obviously, a password with 20 characters such as “CarpalhostroughBeach” would take even longer to crack. What distinguishes these is the simplicity with which people can remember the phrases, yet the difficulty in their being cracked.
Most businesses turn over login accounts once every five years or less, and some may go ten years; the outer limit for protecting password protected assets may be related to employee or customer churn, retiree churn or other business factors. For example, long-lived assets and accounts at utilities, energy and telecommunication industries may have longer lifespans of decades that will dictate password length. Enterprise leaders should identity what the business risks are, how long digital assets will have to be protected, and what risk treatment is wanted or needed. Business leaders may decide to accept risks, avoid them entirely, or ask IT to mitigate / reduce risks associated with password uses. IT leaders should advise the business about remediation alternatives and trade-offs, and what both will cost in terms of convenience and money.
The reality is that risk profiles for some industries are higher. Specific industries and companies are targeted and attacked by State agents, industrial espionage agents, very talented cyber-attackers, and others with enormous capabilities. In more instances, operating risk profiles are lower, even in high risk industries. There is no one-size password policy that will fit all situations, just as there is every likelihood that given enough time and compute power, attackers will eventually try to crack and improve their hash and rainbow table cracking tools and extend their bounty.
Now that the author of NIST’s guidelines for passwords has confirmed what everyone has lived through for the past decade, it is time to revisit the business risks related to unauthorized account access. Go beyond this to play out event-risk storyboards that identify downstream exploits and risks – tangible and intangible – and make recommendations about approached to reduce / mitigate the risks.
Enterprise IT leaders should insist that the business make the decisions about which risks are to be accepted, transferred, avoided and mitigated. Advise the business about the alternatives and what the cost benefit tradeoffs are. Although IT security is often the least interested in change, IT leaders must insist on implementing very different – usable, easy to remember, and defensible – password policies and change management cadences, keyed to the business risks.