Why NIST’s Bill Burr shouldn’t regret his 2003 password advice

Készült: 2017. augusztus 11
Nyomtatás

Back in 2003, an engineer called Bill Burr wrote the official guidance on password security for the US National Institute of Standards and Technology (NIST), since widely referenced as the last word on the subject for government departments, large organisations and, latterly, consumers.

Fourteen years on, and a year after NIST overhauled the document from scratch, Burr has told the Wall Streel Journal he regrets flaws in his advice, an unusual and brave admission for any professional to make.

Burr sums up his 2003 approach:

It just drives people bananas and they don’t pick good passwords no matter what you do.

We think Burr is being hard on himself, but let’s do him the courtesy of outlining what he thinks was wrong with the influential but oft-mangled eight-page NIST Special Publication 800-63, appendix A.

At its core was the simple orthodoxy that users should choose alphanumeric passwords sprinkled with capitals and special characters. These should be changed regularly.

The first part of this advice forms the basis of almost every password policy in existence, along with a requirement that passwords be at least X (usually now eight) characters long.

This wasn’t bad advice back in 2003 given that many users chose comedy passwords such as “password123”. Applying NIST’s rules, they could change that to the 12-character “P@ssW0rd123!” and congratulate themselves on how easily they had boosted their security.

Except, we now know, they hadn’t, for reasons that are reminiscent of what economists call the tragedy of the commons. To simplify, this states that what appears a good idea for an individual stops being so if everyone does the same thing.

If one person chooses a “P@ssW0rd123!”, in theory it’s secure. But when lots of people use a similar pattern, attackers have something predictable to aim at.

Realising that imposing generic password rules makes people gravitate towards common patterns, NIST now recommends that people focus more on length while checking existing passwords against a dictionary of known bad (ie, common, guessable) combinations.

The second part of Burr’s advice – changing passwords regularly – probably became one of the biggest banes of professional IT because it generated work and often wasn’t effective when people made only minor tweaks. The advice today is to change passwords only when necessary (such as after a breach), which is good news for the vast number of people who’ve never bothered anyway.

Burr and NIST were still right to offer some advice because the alternative of offering no or heavily qualified advice wouldn’t have saved the world from bad passwords. Indeed, large numbers of users still ignore even the baseline of Burr’s 2003 rules and use hopeless passwords where they are allowed to – any number of bad passwords revealed in data breaches tells us this.

A fundamental challenge is that what constitutes a secure password changes over time as attackers up the ante. There’s also a need to balance usability. Make a password too easy (short, predictable) and attackers will uncover it, but make it too hard (long, complex) and users will take shortcuts.

What, then, has really changed for password security between 2003 and now?

Ironically, it’s the realisation that passwords, no matter how well crafted, are no longer enough on their own. A single phishing attack can grab even the best password as can the breaching of a poorly secured database. Even the best get re-used over and over.

The world still uses passwords but increasingly supplements them with systems of authentication and identity that take decisions out of users’ hands, something that is at the heart of NIST’s revised guidelines.

Anyone who still wants some password-crafting advice without ploughing through NIST’s document might start with how to pick a proper password or Naked Security’s busting password myths podcast but only after reading how difficult it is to craft a password that can withstand even 100 guesses.


Source: Naked Security

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

Letartóztatások kommentek miatt

Az offenzív online kommentek miatti letartóztatások száma gyors emelkedést mutat az Egyesült Királyságban. Csak 2009-b

Vállalatok számítógépeit figyelnék Kínában

Külföldi, köztük amerikai cégeket, vegyes vállalatokat is köteleznének Kínában arra, hogy vásároljanak meg és helyezz

SE-2012-01

Az Adam Gowdiak nevével fémjelzett Security Explorations nyilvánosságra hozta az ún. SE-2012-01 projekt eredményeit.

Ipari irányítók

Az utóbbi napokban kisebb pánikot okozott bizonyos körökben, hogy egy eddig kevéssé ismert máltai cég, a ReVuln egy 0-da

Unalmas a Facebook alapszíne? Változtasd meg!

A Google Chrome Web Store-ban elhelyezett kártékony alkalmazás azt hirdeti magáról, hogy képes megváltoztatni a Faceboo

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts