Simply Secure: Changing Password Requirements Easier on Users
New NIST rules have users breathing a sigh of relief on password policies
Passwords are a fact of life – most of us have far too many of them. We can’t remember them all, and there’s hardly any way to keep track of them unless we start writing them down. Another alternative is to just remember the passwords that you use regularly, and ask for password resets when you need to access the other sites – but that’s a lot of password resets! Experts like Cormac Herley, a Microsoft researcher, have gone on record talking about the enormous time costs of password resetting, and how it can cost big companies millions of dollars each year. It also costs users millions of minutes, pecking away at the keyboard, whether they’re trying to view personal data, sign up for a service or buy something from an e-commerce store.
So what can we do? And what are the most obstructive and annoying aspects of our password use that make us want to hurl our computers and devices out the window?
New reports show that as a society, we may be about to get rid of some of these annoying password problems. Going with new research on cybersecurity, we will likely progress beyond some of the current security standards that have caused us so much stress over the last few years.
An article in the Wall Street Journal goes so far as to bring out the fellow behind some of these rules, and get his input on why they may not be needed any longer.
On August 7, 2017, WSJ writer Robert McMillan delivered a bombshell in the form of an investigative piece on Bill Burr, the author of a 2003 paper that ended up having big effects on corporate password standards. Burr worked at the National Institute of Standards and Technology, the federal agency tasked with evaluating technological innovation in the U.S.
“The man who wrote the book on password management has a confession to make,” begins the lede of McMillan’s piece. “He blew it.”
From there, the article goes on to describe two bugbears of the digital era that have complexified our lives. The first is those aggravating requirements to include special characters in a password. The other is frequent password changes.
Both of these practices take a lot of time when you’re talking about dozens of individual passwords. The first one, though, is also a classic case of “bad interface” – it’s just not intuitive, and it forces people into workarounds.
Cognitive Dissonance and the Herd Mentality
Most of us can sort of “feel” how these password standards are causing confusion in our brains. Faced with the very abstract choice of how to include a number and a special character in a password, which is otherwise an alphabetic string, many of us will simply dash off a “1!” That doesn’t really tend to foil hackers. In fact, the more we choose the same generic choices, the easier it becomes to crack our passwords. (Learn more about hackers in Is Security Research Actually Helping Hackers?)
Add, on top of that, the requirement that users update their passwords every month, or every three months or so.
The reasoning behind this requirement is that the old password should be changed into something entirely different – but too often, that’s not how it works. Trying to handle the additional brain-beating of remembering a brand new password, the user will take the old password and change one letter or number. Now, the old password is a major “tell” for the new one – it becomes a liability.
New NIST Standards: What’s Inside?
The new rules being developed by NIST will change all of that.
Special Publication 800-63-3 is an update to the original version that accomplishes a lot of what some experts say should have been implemented all along.
First, it takes away both the composition rules, like having to put an exclamation point into your password, and the requirement for routine expirations.
What NIST 800-63-3 adds is a focus on “realistic” security practices.
The new rules stress multi-factor authentication, which writers describe as mixing a password (something you remember) with a physical key or keycard (something you have) or a piece of biometric data (something that is part of you). Other suggestions include the use of cryptographic keys, and the need to accept all printable ASCII characters, as well as a top length of 64 characters, and a minimum length of eight. (Learn more about biometrics in How Passive Biometrics Can Help in IT Data Security.)
In a public slideshow presentation titled “Toward Better Password Requirements,” security research expert Jim Fenton lays out in detail many of these fixes as “thou shalts” and “thou shalt nots,” also explaining how NIST recommends creating a dictionary of easily hackable passwords that should be automatically prohibited.
“If it’s not easy, users cheat,” Fenton writes, examining some of the commonsense rules that will make it harder for weak passwords to compromise a network.
Experts are also suggesting that users think of a “passphrase” or set of words for a password, rather than the jumbles of alphanumeric soup that we’ve been trained to provide.
Why Is a Passphrase Better?
There are many ways to explain why a long passphrase like “total egg bicycle donkey” is going to be a stronger password choice than something like “MisterA1!” – but the simplest has to do with a very understandable metric: length.
One idea at the heart of new NIST regulations is that, in some ways, we have been basing our password strategy on what makes sense for humans, while disregarding what makes sense for machines.
A few random characters might baffle human hackers, but computers are not likely to be easily swayed by an extra number or character at the end of a password. That’s because, unlike humans, computers don’t read passwords for meaning. They simply read them by string.
A brute-force attack is when a computer goes through all possible permutations of characters to try to “break in” by finding the right combination, the one originally selected by the user. When these attacks happen, what’s going to matter is how complex your password is – and each additional character adds an enormous, nearly exponential magnitude of complexity.
With that in mind, a passphrase is going to be exponentially stronger – even though it “looks” easier to the human eye.
By expanding the maximum length of a password to 64 characters, the new NIST guidelines give users the password strength they need, without imposing a lot of counterintuitive rules.
Lots of admins are going to love getting rid of the special character requirements and all of those labor-intensive password updates, but there’s another feature that’s also getting the ax as professionals read new NIST guidelines.
Many systems ask new users to add facts about themselves to a database during onboarding: the idea is that later, if they forget their password, the system can authenticate them based on some thought about their past that nobody else would know. For example: What was your first car? What was the name of your first pet? What is your mother’s maiden name?
This is another one of those trends that has felt uncomfortable for many of us. Sometimes, the questions seem intrusive. Also, security-minded skeptics will point out that there are a good many of us who first drove a Chevrolet, or, in a youthful fit of exuberance, named our first dog “Spot.”
Then there’s the workload of maintaining the database and matching up the answers when they are needed.
It’s safe to say not too many people are going to be shedding tears over the disappearance of “password hint” functions when there are better options for making user activity truly secure.
No, It’s Not Waffle House! Salting, Hashing and Stretching
In other innovations, experts now also recommend “salting” passwords, which involves creating a random string of characters before a “hashing” process which maps one data set to another, thus changing the makeup of the password and making it more difficult to break. There’s also a process called “stretching” that is specifically designed to foil brute-force attacks, partly by making the evaluation process slower.
What all of these functions have in common is that they take place in the administrative realm, not at the user’s fingertips. The average user wants nothing to do with these kinds of procedural things – he or she just wants to get access and go about whatever there is to do in a network system, whether it’s completing work tasks, networking with friends, or buying or selling something online. So by taking away the “client-side” password rules and making a lot of the security administrative, companies and other stakeholders can really improve the user experience.
This is a key point, because improving user experience is what a lot of new tech innovation is about. We’ve come to the point where we have wrung a lot of functionality out of our computers, smartphones and other devices – a lot of the progress we will make in coming years involves making virtual tasks easier to do, and getting rid of the clunkiness of an experience: such as a non-mobile-first web site, a glitchy interface, poor battery life … or a tedious logon! That’s where password innovation comes in. Going back to the idea of multi-factor authentication, it’s likely that biometrics is going to unlock even more ease of use for devices – why tap and type in long passwords when you can just show your device who you are with a fingerprint?
Practical Implementation: Some Challenges Remain
As we’ve said, though, we’re stuck with passwords and PINs for the time being. For example, some newer operating systems have switched from a four-number PIN to a six-number PIN, making many of us that much slower on the draw on our devices.
One issue with the “passphrase” approach recommended by NIST is that there are still going to be password resets (as discussed in this thread on Naked Security). People are still going to forget their passwords. Some are suggesting it might get harder for IT people to issue new passwords when the original ones are much longer.
However, there might be some potential here when it comes to multi-factor authentication. Biometrics haven’t really caught on yet, but nearly everyone has a mobile phone. Lots of online banking systems and other systems are using SMS to authenticate users. This could be an easy way to check on accounts where the password has been lost or forgotten. It’s also a key way to strengthen a password in general, as mentioned above.
If you’re a network administrator, what are the new NIST rules telling you?
Essentially, the federal agency seems to be telling managers: relax. Let users do what they do intuitively, with better encryption, a dictionary of prohibited strings, and a longer input field with more versatility. Don’t teach them to lard their passwords with asterisks and cutesy special characters. And don’t make them re-up the whole process every few weeks.
All of this is going to make a given platform leaner and meaner. Just the elimination of password hints takes away a significant codebase with all of its resource requirements. The new NIST rules put password security where it belongs: out of the idiosyncratic user’s hands and into an obscure place where technical functions make yesterday’s easy brute-force attacks history. They let us all take a new chilled-out approach to what has been a trying process: crafting unique little words and phrases for every corner of our digital lives. It’s one more step toward a world of more intuitive user interfaces – a new and improved digital world where what we do feels more natural, and less confusing.