2016-08-05

Passwords as a means of protection - - - Not!

Out with the “old” – in with the “new”In response to recent trends in password attacks, NIST is considering changing their standards on password management.



Essentially NIST considers password AuthN (“Authentication”) to be a vulnerability (!). They have even registered a vulnerability in the NVD data base!

It was pointed out that even a 12-16 character pwd with recommended entropy will typically be cracked in 10-15 min.

Overall goals

The overall goals of the new standard are:


·         To make passwords easier for users to use by dropping entropy and expiration req’ts.
·         To drive passwords to be used only for the following:
o   Protect low risk (ie “worthless”) assets only
o   Provide a simple way for a user to regain access to something the user has already accessed

·         Push all other AuthN  to 2FA (“Two-factor AuthN”).

Summary of new password standard

The following summarizes the current draft version new password standard:

·       ·         If pwd is chosen by user:
o   8-64 characters in length
o   Pwd should be compared with a blacklist of unacceptable pwds: pwds from prev breaches, dictionary words, context-specific words.
o   No complexity req’t (!)
o   ASCII or Unicode printable characters plus space (which may be removed before verification)
o   No truncation permitted
o   No “hints” given to unauthenticated users eg “name of your 1st pet”
o   Passwords do not expire (unless there is evidence of a breach)
o   Option to display the password entered. Automatically hides the pwd after timeout.
·         If randomly chosen and given to user:
o   6 character
o   Can be entirely numeric
·         Pwds should be salted and stored with approved hash fn such as PBKDF2
o   Salts: at least 32 bits

o   At least 10K iterations of the hash algorithm

References

This section gives some relevant links.

Currently the 4 draft NIST standards are on GitHub for public comment:


Some articles discussing the change:

http://nstic.blogs.govdelivery.com/2016/04/01/a-previously-unknown-vulnerability/

No comments: