A Business Technology Place

Easier password rules

Somebody give these guys a high-five.
Finally. There is a glimmer of hope for resolution to the insanity that has become password complexity rules. The National Institute of Standards and Technology recently revised guidelines for password complexity. The prescribed password complexity recommendations are detailed in Appendix A – Strength of Memorized Secrets. The NIST findings not only acknowledge the impact to usability of the existing recommendations for complex password rules, but they reveal the impact to improved security is not significant. This will make you smile and is sure to get a round of applause from everyone. Here’s an excerpt:

“Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.”

The new advice is to consider the length of the password more important than the complexity. Shorter passwords are easier to break for computer programs. Longer passwords are more difficult to break after they have been encrypted and stored. The NIST acknowledges the over complex password rules we’ve been subjected to only enforce bad behavior when we strive to make the password easier to remember. In other words changing your password from “Password1!” to “Password2!” doesn’t really help the password to be more secure.

Randomly generated passwords are OK as long as they don’t create a usability hassle. Some users, like me, use a password vault tool that can randomly generate passwords to use with specific sites. Again, longer password length is better even when using random characters.

I looked at my accounts.
I used this guidance and examined three financial services sites where I have accounts. Here is a look at the current password complexity requirements from each site:

Site 1
At least 8 characters in length
Has at least one letter
Has at least one number

Site 2
Must contain 8 to 20 characters including one letter and one number.
May include the following characters: % & _ ? # = –
May not contain spaces

Site 3
Minimum of six characters
Must use a mix of letters, numbers, or symbols

The good news is I can use my random password generator to create passwords longer than say 8 characters. It’s no more work for me because I go to my password vault tool to retrieve passwords anyways. But even if you don’t use a password vault tool, you can make your password much more secure by creating a phrase that complies with the existing rules. For example: ILove2seemygrandmother would fit the requirements. It is easier to remember and more secure. Hopefully, the new guidelines will find a place with technology compliance and regulation and we’ll be able to more freely submit password phrases in the future.

Onward and upward!

Got Password? Can Microsoft simplify?

Who makes the rules?

Hackers love them. Security auditors like to engineer them. The average person hates them. IT support teams use them for jokes. Our computer passwords have an identity crisis! Do passwords protect us or are they just a nuisance to our everyday lives?  I find weekly articles about how hackers can crack most passwords in minutes. For some thieves, cracking a password isn’t enough fun, so just steal them. It seems the value passwords bring for protecting information is diminishing.

Industry experts created password complexity rules we should all follow to make the passwords more secure. That makes it a little harder for hackers to crack a password but does not make them theft-proof. Unfortunately, it also drives many people without a password system to write down their password on paper. Who can remember words with all those special characters and capitalizations? In essence, to get the user more secure the rules made their system less secure.

Businesses implement password complexity rules to meet a couple of constraints: a security control they are given and limitations from the software system they are using (i.e. field length, characters allowed). The result for all us is an inconsistent set of rules to govern passwords for all the systems we use. Is it 8 characters or 10? Does it require special characters? Can I reuse a password I used two years ago?

What you know and have.

Several years ago, a popular method for authentication security was created to offset the weaknesses of a single password system. Two-factor authentication is based on the idea of something you know and something you have. So for example, I know a password and I have a phone where you send me a second code. Or I know a password and I have a physical security card I can tap or read.

Now, Microsoft is experimenting with removing the password requirement completely. Their new system would make life easier for their customers because it doesn’t require a pesky password for data access. Well kind. It requires a pin from the phone to get access. I see this as a hybrid two-factor authentication. Something I know, my phone PIN. Something I have, my mobile device.  If I lose or misplace my phone they say there is an option to revert to a standard password. Would you use this?

Human behavior.

Protecting data with authentication systems is a good study in human behavior. We protect the data because we don’t want others to see it. We protect access because some people steal data. We develop authentication systems that try to find a balance between human usability and password complexity. I can see this as a college class. Psyc 231 – Human behaviors for data access and protection.

Got password?

Photo Credit: Thomas Au via Creative Commons. https://flic.kr/p/dT3HaA

 

The Weakest Lock

What entry point to your electronic data is the least secure?
The Evernote announcement of forced password resets last week started an email discussion between a colleague and I about password security. I was impressed with the precautionary measures of Evernote and their transparency to admit they detected suspicious network activity. Although they found no evidence that password files were compromised they chose to communicate their findings and force the password resets of all their users. In a blog post and email Evernote states “As a precaution to protect your data, we have decided to implement a password reset.” That’s a small price to pay for a little insurance and peace of mind about my the information in my account. I gladly reset my password and then moved on with my other daily activities.

My email conversation was about password security and authentication measures to access data. Some time ago I started using one of the online password services called PassPack to help me manage passwords for all my accounts. I setup a randomly generated password for most sites, which means I can’t get access to these sites without first signing in to my password manager. Extra security does comes with extra overhead.

Are gestures a good idea for authentication?

Are gestures a good idea for authentication

The email conversation on the topic captured a thought about the weakest entry point.

“Follow up on Bob’s random password use. I use LastPass and have considered having it randomly generate passwords for everything. That would create a complete dependency on LastPass, and I’d want to export / backup the list at times. But then what password guards LastPass? That one password would become the weakest lock.”

For me, PassPack requires both a username / password combination as well as an additional encryption key which is a full phrase/sentence. But conceptually the thought in the email is correct. A single authentication to get access to a group of credentials is the weakest lock or the most impactful lock. If someone were to gain access to my master list of authentication credentials then it really doesn’t matter that each of the sites I use have a different password.

The balance between security and usability.
Yancey Vickers from Red Clay Interactive wrote about the convenience of password manager programs and OpenID in her post One Password to Rule them All. She discusses some of the tradeoffs between added password security and usability. People have a different tolerance for how much security they use in their authentication process. I suspect that the level of overhead I take to sign-in to to a password manager to retrieve a password is not acceptable to most people.

What about mobile devices?
The email goes on to read:

“Then I think about our smart phones. That may be the weakest lock because if you get into my smart phone you can get into a lot of stuff to either gain access or socially engineer others to gain access. For the longest time that was just a 4 digit pin. Now it is a gesture.”

I hadn’t thought about this before the email. But my friend is right. The security requirements for my company issued phone are not the same as those on the company issued laptop. There is no multi-character password requirement, expiration date, or VPN program on the phone. A single pin, or gesture, allows access to corporate email. That does sound like the weakest lock.

Do mobile devices warrant tighter security? Would people use a mobile device if they had to key a password composed of capital, non-capital, numeric, and a special character? What if they had to authenticate with a VPN service after unlocking the phone? The standards seem to vary by device.

The Weakest Lock.
One password to rule them all, One password to find them,
One password to bring them all and in the mobile device bind them.