NIST Password Guidelines are not taking advantage of technology
Security or convenience is no longer an acceptable trade-off when it comes to cybersecurity. They must be mutually inclusive, otherwise employees will circumvent security for their own personal convenience. NIST and Microsoft understands this to a degree, but in the latest NIST Password Guidelines SP 800-63-3 the recommendations favors password convenience over password security.
Sean Deuby wrote a great article, NIST Joins Microsoft in Changing How We Should Think About Passwords. If you haven’t read it, I recommend you do so. The article compares two different documents – Microsoft’s Password Guidance, May 1, 2016; and NIST’s Draft SP 800-63B, Digital Authentication Guideline. Having read both these reports, I disagree with some of their recommendations.
It’s all starts with the definition
One cannot tackle a problem or voice an opinion without first having a clear and precise definition of what needs to be discussed. That is why I will first point out how NIST Password Guidelines defines “Password”. They state:
A secret that a claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings.
The issue I have with NIST’s definition is that their point of reference is old, out dated, and limiting. Their definition applies to ancient times when a soldier needed to be recognized before entering an encampment. With all the technology at our disposal today, why does the “Knowledge” factor have to only be something a person memorizes? Why can’t a password reside within computer memory, secure hardware device, or in a smartcard? Here’s how I define a “Password”
Knowledge-based authentication of a shared secret word, expression or other string of characters exchanged between human-to-human, human-to-computer, or computer-to-computer for the purpose of authenticating access into facilities, services, computer networks, and/or data.
I often compare password authentication with alternative solutions. The most commonly discussed alternatives are digital certificates and PKI. When you drill down to the core of these solutions, it’s the user’s disassociation with the Private Key that helps make them secure. Remember, to a computer, a Private Key and a password are identical – just a long series of 0’s and 1’s. It’s what the computer does with the string that determines the results.
One of the most popular technologies used to protect Keys is the smartcard. If smartcards can “know” and keep a Private Key secure, then why can’t it do the same for a password? It’s from this perspective I claim that a Private Key, a Secure Key and even a biometric template are all only glorified passwords to a computer. Instead of a human having to know or type the secret, technology does it for them. A smartcard containing a private key uses this long bit string to authenticate that the device knows the secret code, which in turn is used for authenticated access to a device, message or application.
Passwords can also be stored in a smartcard and used for authenticated access. The smartcard can communicate a password to a computer or network without any user involvement or knowledge. Passwords can also flow through an encrypted communications channel to prevent interception. Furthermore, even if the passwords are stored in an LDAP like Active Directory, the smartcard can establish a trusted connection, implement advanced “salting hash features”, and keep all password data files uniquely encrypted should they ever get stolen or hacked.
What still remains is user authentication to the smartcard. That is easily handled by a PIN (a short password) and/or biometrics. The beauty here is that the card, PIN and biometrics operate together to deliver true Multi-Factor Authentication, and the user maintains a high level of assurance that the odds of someone else possessing two or all three parts is very unlikely.
To wrap up this blog, my point here is to dispel the notion that passwords can only be regulated by human memory. Instead, passwords can reside in either human or technology memory.
In my next post I’ll discuss the NIST/Microsoft recommendations about making simple password phrases that the user can remember, and not frequently changed. To prepare you, let me ask two more questions. First, which password would you prefer, Column A or Column B:
Account My Recommendation NIST/Microsoft recommendation
Bank: <89tnNx^V\juw3a=0GGtx;[email protected]; ILoveMyPassword
Server: <=RCCzqf]9qJ64k:Z9xl <kLF2zQ M ILoveMyPassword
Computer: 8:f]r9`QA[sxdu<U*<Qkjer7okGMUB ILoveMyPassword
You might have answered “B” because of the simplicity, but what if I were to removed the burden of you having to know, remember, or type any passwords. Now which one would you vote for? Be sure to check out Part II of this blog.
About Access Smart:
At Access Smart we created Power LogOn – a multifactor authentication enterprise password manager. It’s our belief that, “It’s not that we have a password problem. Instead we have a password management problem!” By removing the weakest link in cybersecurity – the human element, and rethinking passwords from a more modern perspective, our networks will become stronger.
Dovell Bonnett – “The Password Guy”
Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is a multi-factor authentication, enterprise password manager used by corporations, hospitals, educational institutions, police departments, government agencies, and more.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His most recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity.
This blog post, on the face of it, promised to critique NIST’s new password guidelines. However, it merely redefined “password” to include hardware-based solutions and then advertised your hardware.
Smartcards are great and all, but some organizations cannot justify the cost. NIST’s new guidelines strengthen ordinary passwords (something you type on a keyboard according the definition normal people use) into something that could be almost as good as a smartcard.
Specifically NIST recommends allowing me to use long passphrases like your examples above, which I will happily do if the system will permit it. The problem with passwords isn’t that humans can’t remember them, it’s that we forced humans to create passwords that are easy to crack and hard to remember by forcing them to be short and gibberish. Emphasis on short. Stop making passwords short. Let them be long, long, long.
A human can create a very memorable, long, complex phrase that is easy to remember and hard to guess. The security level can approximate a smartcard without all the extra cost. (If you disagree, remember that you redefined ‘password’ to put character strings and hardware tokens on the same footing.)