2016-08-05

Passwords as a means of protection - - - Not!

Out with the “old” – in with the “new”In response to recent trends in password attacks, NIST is considering changing their standards on password management.



Essentially NIST considers password AuthN (“Authentication”) to be a vulnerability (!). They have even registered a vulnerability in the NVD data base!

It was pointed out that even a 12-16 character pwd with recommended entropy will typically be cracked in 10-15 min.

Overall goals

The overall goals of the new standard are:


·         To make passwords easier for users to use by dropping entropy and expiration req’ts.
·         To drive passwords to be used only for the following:
o   Protect low risk (ie “worthless”) assets only
o   Provide a simple way for a user to regain access to something the user has already accessed

·         Push all other AuthN  to 2FA (“Two-factor AuthN”).

Summary of new password standard

The following summarizes the current draft version new password standard:

·       ·         If pwd is chosen by user:
o   8-64 characters in length
o   Pwd should be compared with a blacklist of unacceptable pwds: pwds from prev breaches, dictionary words, context-specific words.
o   No complexity req’t (!)
o   ASCII or Unicode printable characters plus space (which may be removed before verification)
o   No truncation permitted
o   No “hints” given to unauthenticated users eg “name of your 1st pet”
o   Passwords do not expire (unless there is evidence of a breach)
o   Option to display the password entered. Automatically hides the pwd after timeout.
·         If randomly chosen and given to user:
o   6 character
o   Can be entirely numeric
·         Pwds should be salted and stored with approved hash fn such as PBKDF2
o   Salts: at least 32 bits

o   At least 10K iterations of the hash algorithm

References

This section gives some relevant links.

Currently the 4 draft NIST standards are on GitHub for public comment:


Some articles discussing the change:

http://nstic.blogs.govdelivery.com/2016/04/01/a-previously-unknown-vulnerability/

2 comments:

Linda said...

This is good that the standards has been set for password protection. This improvements in password protection has been necessary because there has been password breeches.

Ali said...
This comment has been removed by the author.