Password security

The publication by NIST of an updated version of its digital identity guidelines marks a significant change in its approach to identity management. It highlights the importance of implementing digital identity in context, with three different elements replacing the previously monolithic Level of Assurance. These Levels are the Identity Assurance Level for identity proofing, the Authenticator Assurance Level for authentication and the Federation Assurance Level for use in a federated environment. Criteria for each Assurance type run from Level 1 to Level 3. This is intended to provide greater flexibility in implementation, for example combining pseudonymity with strong authentication for privacy purposes. Although optional, federation is positively encouraged for reasons of user experience, cost and privacy.

Risk management features prominently in the guidelines, with risk assessments used to determine appropriate identity choices according to system requirements. Although the requirements are technology agnostic, they are prescriptive regarding the assurance levels required for particular purposes. One area in which the guidelines are particularly refreshing is in their approach to passwords. Drawing on research into passwords exposed during data breaches, the use of unwieldy complexity rules is discouraged. Instead, it is suggested that users should be allowed to make passwords as long as they wish, encouraging the use of pass phrases and excluding very short passwords.

Faced with restrictive rules, many users will select predictable passwords which just meet the system requirements but are easily guessed. It is suggested that passwords should be checked against a blacklist of obvious choices and known compromised passwords, to filter these out. Randomly-generated secrets are therefore preferred to user-generated secrets.

The guidelines also highlight the importance of usability, supporting the use of password managers and only requiring passwords to be changed when there is evidence of compromise. There is some flexibility regarding displaying passwords on screen, depending on the context. In order to maintain an adequate level of security, a mechanism for limiting the number of possible failed authentication attempts is required.

This new, more person-centric approach from NIST follows on from UK government guidance published by GCHQ in 2016, advising ‘dramatic simplification’ of password management policies. This guidance also focused on achieving security by implementing processes which are easier for people to follow and therefore less susceptible to being undermined by users attempting to take short cuts through the system.

CHYP’s involvement in research has highlighted for us the difference between the way people say they behave and how they actually behave online. This kind of performativity may take the form of people describing how careful they are online (perhaps repeating recent official advice), while doing something conflicting on screen even as they are speaking. A similar effect can be seen when comparing figures produced from a user survey by the Gambling Commission, to usage statistics reported by gambling companies. The companies are able to draw statistics directly from their systems, while the survey figures are composed of gamblers’ reporting of their own behaviour. These discrepancies highlight the importance of observation when developing policies based on user behaviour.

It is encouraging to see a more effective approach to combination of privacy, security and usability in Identity Management being promoted at the highest levels. Even in local hospitals, it is now common to see screens showing simply ‘tap your pass or enter your passphrase’, where previously unpredictable processes were in place. Organisations such as FIDO have done a great deal to promote standardisation.

For a standalone organisation to adopt the new NIST rules would seem both positive and achieveable. They are in any case intended to be used within the US government. However, where organisations are already working in partnership and have existing legacy agreements regarding security requirements, it may be necessary to revisit these and agree a new set of password rules to replace existing, outdated approaches. Standardisation and education can go a long way towards supporting this process, although for larger organisations and those with multiple partners, it may take longer.

Publications such as ‘Why Johnny can’t encrypt’ and ‘Users are not the enemy’ have long been recognised for highlighting enduring issues with implementing security software. While education is important, attempts to fundamentally change people will inevitably fail, resulting in escalating support costs and unpredictable security risks. People are simply not equipped to adjust that quickly. In comparison, machines are generally designed by people and comparatively easily modified. Even with the advent of AI, machines are likely to remain reasonably malleable.

Where most user interaction involves people and machines, security tends also to involve mathematics. The NIST guidelines prescribe the use of appropriate cryptography at every stage. This is essential to securing the system but does not of itself guarantee that the system will remain secure. Appropriate system design and implementation are crucial to ensuring secure operations. This is exemplified by the recent flaw discovered in the WPA2 WiFi protocol. A mathematical proof is available for the security of the protocol but there is a vulnerability in the key management, which is not covered by the proof.

As in any system, a mathematical proof has to be ‘situated’ to be useful. Effective risk modelling will take into account the wider context of the system, focusing in on the most critical areas for greater attention. This process may have to be revisited over time, as the surrounding environment evolves. The increasing interconnectedness of the Internet of Things will require greater attention to disconnection technologies to preserve system integrity over time.