We have a problem with passwords. Though it’s hardly a news flash, it’s a reality that security professionals continue to struggle with, and for good reason, according to two sessions offered in the Identity and Access Management track at (ISC)2 Security Congress.
This morning’s talk, Those Old Rules for Passwords—Gone!, presented by Hoyt L. Kesterson II, Senior Security Architect, and Ralph Spencer Poore, Director, Emerging Standards, looked at the more traditional methods of authentication. The talk began with Kesterson, who argued against the whole idea that passwords need to be changed every 90 days. “Where did that come from? There’s no analysis, so I started thinking there must have been a Harvard MBA who decided once a quarter was a good time to change a password,” Kesterson joked.
Referencing his many talks at RSA Conference, Kesterson gloated that two of his talks claiming that everything we are doing with passwords is wrong were actually published on YouTube. Then Kesterson invoked the most updated version of the NIST Digital Identity Guidelines that supports his position.
“The appendix describes considerations for when a password should be changed. The new standard says only when compromised. An unprompted change should only happen because you suspect the password has been compromised or you decide you want a stronger password,” Kesterson said.
In addition, these new standards eliminate the old composition rule and instead recommend that organizations check password blacklists. How do you check blacklists? Comparing hashes, not real passwords. “When you implement, you don’t do it when a person is entering a new password. You do it on weekends in the background, when your system is bored,” Kesterson said, adding that even comparing hashes isn’t foolproof.
“Hashes aren’t broken, but we have a problem. The entropy is too low,” he said.
Unfortunately, said co-presenter Ralph Poore, “Passwords are an inexpensive control that have a history of failure for all kinds of reasons.” To enhance security in authenticating users, Poore added, “Thou shalt not live by memorized secrets alone. Thou shalt embrace multi-factor authentication.”
Multi-factor addresses the risks inherent in passwords by authenticating who the user is, which greatly improve the security of the user. But multi-factor is not without its challenges. First, many organizations have implemented SMS as a second authentication, despite the fact that there is a lot of experimental material out there that those text messages can be intercepted, according to Poore.
“Password implementations don’t require any special hardware. Text messages are essentially a free control, and organizations went with the low-cost provider. The challenge there is that free is often very expensive. Using two free controls that are both relatively easy to compromise leaves you with a pretty big security hole. So, we would recommend not using SMS as a second factor,” Poore said.
Similarly, Dr. Sarbari Gupta, President and CEO of Electrosoft Services, Inc., looked at the evolution of identity authentication, though she offered a novelty concept that could make authentication on smart mobile devices more seamless in her talk, Me and My Mobile Device—a New Approach for Strong Multidimensional Authentication!
Dr. Gupta first reviewed the Digital Identity Model, walking the audience through the stages from the enrollment and identity proofing process all the way through to digital authentication. Smart mobile devices, though, have more capabilities for authentication from biometric sensors, cameras, fingerprint scanners and voice to multiple connectivity mechanisms, including cellular, Wi-Fi, Bluetooth or near field communications (NFC).
“All of this can be utilized to strengthen authentication for the individual using the device in a hyper authentication model that leverages biometrics and contextual sensors that are already available and uses cryptographic capabilities and the secure storage on the device,” Dr. Gupta said. Still, the idea has not been implemented. “There is a lot of work here. There are a lot of gaps, but there is a lot of hope.”