By Ryan Francis
May 10, 2017
He said this constant churn inevitably leads to users implementing common, predictable passwords, recording them in unsecured locations, reusing passwords on multiple online accounts, and using only slight variations of prior passwords. He agreed that 30/60/90 day password changes are counterproductive.
He would like to see a more “event driven” approach to when password resets are required as opposed to routine schedule. For example, if an organization is at all suspicious of a breach then requiring password changes across the board would be appropriate. Other events warranting a password change would include a particular user logging in from a unrecognized device or an unexpected location. “Investment in the ability to detect these types of events more easily can build a stronger security posture,” he said.
Gill said it’s true that the attempt to require more algorithmic complexity most often has very predictable results. Like the example that NIST uses in its guidelines of the password “password” morphing into “password1” and later “password1!”.
“While the last iteration may be technically more complex it is essentially just as weak as the original as it is both commonly used and computationally predictable. I would also like to see the term ‘password’ replaced with ‘passphrase’ as lengthy passphrases can be both easier to remember and more difficult to crack in a brute force attack,” he said.
He said using lists of both common passwords and compromised passwords can be quite simple to implement and can make a marked improvement. Organizations should also focus some efforts on monitoring web locations, where breached passwords are likely to appear, for lists containing any of their users/customers.
Eric Avigdor, director of product management at Gemalto, noted that passwords have always been a weak security tool, and conventional wisdom has been that consumers should create complex passwords that they update frequently.
“The reality is that passwords are weak no matter how often they are changed or how difficult they are, and people usually have only a variant of one or two passwords. Man in the middle or man in the browser hacks can take your password even if it is extremely lengthy and complicated – IT administrators can see your passwords, your bank can see your passwords,” he said.
He said the guidelines recognize that the way to solve the password problem is to accept that passwords are weak and add on other complementary factors of authentication, whether mobile or hardware OTP tokens as well as PKI based USB tokens or smart cards.
Avigdor mentioned more reliance on the usage of PKI tokens with a smart card. This involves entering a PIN which is never revealed to anyone, except the owner of the smart card.