Password shenanigans

In a nutshell

blog

Preamble

Passwords.
Love them, hate them, makes no difference.

Online tax payments, banking, insurance, travel, your e-mail account…
Your login and password secure access to all that, and every single one of them is subject to a different, arbitrary policy set by someone stuck in the 1980s.

Today, let’s take a look at a history of failed passwords, and what’s being done to address them.

The failure of password requirements

Back in the 80s, people came up with the idea that passwords needed complexity rules, so that they’d be hard to guess by another human, a dictionary attack, or even an automated program.

Indeed in 1979 Thompson and Morris discussed dictionary password attacks in their “Password security : a case history” article.

In that same article, Thompson and Morris proposed the first ever set of password strength rules, with 6 characters minimum, down to 5 if your password included non-alpha.

This would be the beginning of a spiral to insanity, of passwords written down on post-its, duct-taped under keyboards or to monitors, or kept in plain-text files on disk drives.

A very popular XKCD comic inspired by Steve Gibson tells it much better than I ever will :

40 years of doing passwords wrong

40 years of doing passwords wrong…

Sane practices anew

At long last, in 2017, the NIST acknowledged in NIST SP 800-63 revision 3 the folly of our old ways, and the need for a new approach to passwords.

More specifically in SP 800-63B, sections 5.1.1.1 and 5.1.1.2, the NIST finally asks that we stop pestering users with absurd complexity rules and arbitrary expiration dates.

When these policies get implemented by actors on the market, you’ll be able to move away from your bank’s virtual keyboard and 6 numbers password, to an actual sentence you’ve chosen and remember :

Terrible password policy and security example by my bank

Terrible password policy and security example by my bank

Indeed, the US’ Office of Management and Budget released a memorandum that gives its agencies until the end of 2024 to implement Zero Trust architectures, including actually sane password policies.

The exact wording can be found page 8, as follows :
Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government

It’s 2022 and we’re finally going to do away with dumb, immemorizable passwords that expire every 90 days.

Takeaways

Password complexity just does not work on its own, it leads to bad behaviours that actually weaken security.
Some attempts at passwordless logins, like Magic Links, are actually as dangerous.

Allow your users to pick their own pass phrases of 12+ characters, and let them keep those forever (or until they’re dumped in a breach).
Run a risky business ? Offer 2FA.

Your devs will have fun implementing mechanisms to check user input against known password breaches.

Your users will recognize you as a modern company with an intelligent approach to account security, and will have a much better experience signing up and logging in with you.

Finally, your systems will be more secure because you’ll see fewer user account breaches.

While security is a never ending journey, these changes and the US memo acknowledging them are very welcome steps in the right direction.


Glossary
  • 2FA : Two-Factor Authentication, requiring an additional factor such as biometrics or possession to log in to a system.
  • Zero Trust : Security stance and implementation wherein no device is granted additional privileges on criterion like its physical location (your corporate offices for example).
  • Magic Links : A link sent you by email, which allows you to log in to a system. Email is insecure, just don’t.

blog