[BreachExchange] Are regulations keeping you from using good passwords?

Destry Winant destry at riskbasedsecurity.com
Wed May 30 22:14:59 EDT 2018


I rarely go to a conference where I don’t hear someone doling out
“good” password policy advice. You know, the password policy includes:

- Eight to 12 characters long as a minimum; extremely long passphrases
are better
- Must be complex and include at least three different character sets
(e.g., uppercase characters, lowercase characters, numbers, or
- Change every 90 days or fewer
- Enable account lockouts for bad passwords, five bad attempts or fewer

I hear world-renowned computer security experts, CEOs and security
consultants giving this advice all the time. I heard it today. I’ll
hear it tomorrow.

Except that it’s wrong. It’s old advice. It was never “good” password
policy. Looking at the data, people and companies that follow this
advice are likely increasing their computer security risk, not
lessening it. Unfortunately, the desire to stay in compliance with
outdated regulatory requirements means that most companies and
individuals will be compelled to follow this old, outdated and wrong
advice for years to come. It’s a sad state of affairs.

What is today’s good password policy advice?

Starting a decade ago or so, a few computer security scientists
decided to look at the data to see if the traditional password
security advice that had been recommended for decades was actually
effective. One of my favorite computer security scientists is
Microsoft Principal Researcher Dr. Cormac Herley. He has probably
written more about how bad the old password policy advice is than
anyone. He’s not a fan of much of today’s long-held, but untested
computer security advice. As he said in my 2017 book, Hacking the

"You might have a model of how you think 2 billion users will behave,
but 2 billion users will respond the way they are going to respond
regardless of your model. You can hope that it happens the same way,
but you have to measure what happens to see if there is any
resemblance to what you said would happened in your model. And if your
model is wrong, change it."

Dr. Herley, looked at the data, and tested how well the traditional
advice stacked up in today’s hacker world. His conclusion, along with
many others, was that the traditional advice was bad advice, and they
used data and how today’s hackers hack to come up with better password
policy advice. The culmination of these password experts' work was
updated password policy guidance from the National Institute of
Standards and Technology (NIST). NIST sets the computer security
standards for the U.S. government and military computers, and by doing
so, set the standards for most of the world’s computers.

NIST issued its updated password policy advice in the form of “Digital
Identity Guidelines”, the most important of which is NIST Special
Publication 800-63-3, released in final form in June 2017. In the
related guideline documents, NIST essentially says that you should be
using multifactor authentication (MFA) instead of passwords, but if
you’re going to be using single-factor authentication passwords, here
are the new, better recommendations:

- Enable two-factor authentication (2FA) where you can. Passwords are
great, but 2FA is better.
- A password should be eight characters or longer, but it doesn’t have
to be super long.
- Character complexity is no longer a requirement, but does not hurt.
Should not contain common or easy-to-guess passwords (like your name
or password123).
- There is no need to change your password unless you think it’s been
- Never re-use the same password on other sites.
- Developers, consider using dynamic authentication, where changes in
user behavior, location, or devices initiates additional
authentication checks.

That’s it. That’s the new advice! It’s revolutionary in most circles.
Passwords don’t have to be long or complex, and almost never to be
changed. This goes against what we’ve all been taught for a long time.
Again, I still hear the old advice at computer security conferences. I
hear it from people on panels sitting beside me. I want to correct
everyone, publicly, but that's hard to do without insulting your
friends, co-workers, and leaders. It’s not their fault. They just
don’t know.

Lately, I’ve taken to speaking up about it. I try to do it as politely
as I can, trying not to shame the other person for not knowing.
Although you would be surprised by how many people actually know about
newer password policy guidelines, but simply cannot believe them and
keep repeating the older advice. Habits can be hard to break.

Is compliance hurting us?

Worse yet, even though the new password policy guidelines have been
the “rule of the land” for a year now, I don’t know of a single
legislatively required regulatory guideline (e.g., HIPAA, SOX, or
PCI-DSS) that doesn’t still require the old password policies. I don’t
know of a single auditing regime or program that doesn’t require,
often by law, the older, worse, password guidelines.

Administrators and users are stuck in a hard place. Follow the old
policies and your company is more at risk for successful malicious
hacking. Follow the new advice and fail an audit, and have everyone in
your company above you yell at you.

I want to tell you to talk to your auditors and management and send
them NIST’s newer password guidelines, but the truth is that they
aren’t really going to care. All they are going to care about is
whether you help get a “check mark” of success on a compliance audit.
If you try to implement the new password policies, you are likely to
be going it alone, against a hurricane of criticism and complaints. If
you cause an audit exception or lack of compliance finding, you could
be disciplined or fired. The best or the smartest among us basically
have to accept that they will be knowing, but silent.

When will regulations change?

If you want to do something, write the bodies in charge of the legal
regulations that control your industry. Educate them and ask them when
they plan to update their required guidelines. Do the same to your
internal and external auditing teams, and to IT management. Now is the
time — it’s been a year — to start asking for the outdated password
policy guidelines to be updated.

All auditing and regulatory bodies need to ask themselves if they are
responsive enough to cybersecurity guidelines changes. Do they have
policies and procedures, easy to find and follow, for members to
initiate changes? Hackers and malware can change in seconds. How long
do we have to wait until our controlling regulations and laws get
updated after we find better advice?

If we don’t make our audit and regulatory bodies more responsive,
aren’t we always going to have compliance eroding our security in one
way or another?

This is a call to arms. Go fight the good fight!

More information about the BreachExchange mailing list