Phil Magness: Death of the “expired” and “complex” password?

In 2017, the U.S. National Institute of Standards and Technology (NIST) issued a special publication that represented a shift, perhaps controversially, in the management of passwords for the U.S. Federal Government.  Although the guidelines are not binding on us here in Australia, NIST advisories remain highly influential for technology related matters.

The guidelines provided a number of mandates including:

  • password lengths should be increased to up to 64 characters;
  • password hints should not be allowed; and
  • password reset options such as “What was the name of your first pet?” should not be allowed.

Perhaps the two most controversial recommendations were that:

  • passwords should not expire and need only be changed where there is suspicion of compromise; and
  • there should be no complexity requirements (e.g. mandating uppercase, lowercase, numerical and special characters).

The rationale for non-expiring passwords is that users should have one good, long password rather than being forced to make up a new one every 30, 60 or 90 days.  As the UK’s National Cyber Secure Centre stated: “regularly password changing harms rather than improves security”.[1]  They provide a number of basis for this conclusion including the common problem of users entering new passwords that are only minor variations of previous ones.

The downside to passwords that do not expire is that it places increased reliance on the user, or their organisation, to actively monitor the activity on the account for suspicious activity.  Whilst this should be occurring anyway, the practical reality is that log file review is often minimally and poorly undertaken, if at all.  If never or poorly undertaken, then an attacker who has successfully obtained a user’s password, typically through phishing, will continue to have access to the user’s account, possibly for a significant and undetected period of time.

The removal of complexity requirements removes the often illogical situation whereby a simple password meets the complexity test and a lengthy passphrase fails.  For example, the password of “Wednesday1” is considered a strong password for most authentication mechanisms as it contains three of the four requirements of uppercase, lowercase, numerical or special characters.  It is also of a sufficient length.  However a somewhat unique passphrase such as “Ilikecatchingtroutwithaflyrod”, is likely to fail for lack of complexity.

Concerns over the removal of complexity requirements can be mitigated by validating the user’s password against known dictionaries.  Simple dictionary words and passwords that appear on blacklists would be rejected for use.

Passwords alone are not enough

As NIST acknowledges, a password alone does not provide sufficient protection against the unauthorised compromise of a user’s account.  Multifactor authentication (also known as two-factor authentication) should be implemented.  The authentication should be to a mobile application, biometric or physical hardware device, and not via SMS or email.  In my experience, many data breaches would have been prevented if multifactor authentication was enforced.  Whether it is an Office 365, G-Suite account or the user’s personal Gmail or Facebook accounts, multi-factor authentication is a primary defence mechanism against compromise credentials.

In addition to multifactor authentication, further protections include:

  • investing in a password manager such that the user only needs to remember one strong password, or preferably a passphrase, to access a list of randomly generated passwords. As the Australian Cyber Security Centre acknowledges, “[o]ne good password is hard (enough) to remember, but lots of complex passwords is all but impossible”;[2]
  • implementing a blacklist of easily guessable passwords; and
  • implementing single sign-on (SSO) solutions to minimise the number of systems where a user has to enter the password.

Both password managers and single sign-on run the risk that a compromised master password will provide an attacker with the keys to the kingdom.  However in my view, and as Mark Twain famously stated, it may be better to put all your eggs in the one basket and then watch that basket.  That is, monitor and continue to monitor, rather than simply set a password and forget about it.

[1] https://www.ncsc.gov.uk/collection/passwords/updating-your-approach 

[2] https://www.cyber.gov.au/advice/understanding-passwords