The National Institute of Standards and Technology might change a key portion of a reference guide related to electronic authentication due to passwords becoming more and more vulnerable to attacks, an agency official said Thursday.
Paul Grassi, the senior standards and technology advisor for NIST’s National Strategy for Trusted Identities in Cyberspace (NSTIC) program, said the agency is debating doing away with the password entropy requirements set forth in NIST guide 800-63 as part of a push to move past using usernames and passwords in both government and private enterprises.
He has two reasons why the move may occur: The agency is trying to drive password use toward assets that are very low risk; and the fact that even a 12-to-16 character password following a recommended level of entropy only holds up “for about 10 minutes” to brute-force computing attacks.
“I actually consider the password a vulnerability,” Grassi said during a Chertoff Group cybersecurity event. “You want to make recommendations that actually eradicate passwords as much as possible and get it to where it belongs: to protect worthless data and as a simple way to gain access to something you’ve been to before, then push the rest of services to two-factor [authentication].”
Brett McDowell, the executive director of the nonprofit FIDO Alliance, agreed that passwords are a security threat because of the attacks focused on their retrieval, from social engineering and man-in-the-middle attacks to spear phishing.
“I don’t think we want to invest a lot of time polishing the turd that is passwords,” McDowell said. “I think we need to evolve to an entirely different form of authentication.”
The FIDO Alliance is working to move away from the password, creating new standards and protocols, known as Universal Two Factor or U2F, that give the user the ability to authenticate their identity with biometrics via something like a fingerprint or iris scanner. McDowell said these standards have been in integrated into Samsung phones and adopted by PayPal and Google.
“It’s a totally new approach to authentication that ends up being easier to use, because you just touch something or look at something to authenticate,” McDowell said. “You don’t type anything in and it’s much more secure because it doesn’t have the vulnerabilities associated with phishing or the execution environment with malware.”
Grassi said there has been movement in the federal government to adopt these standards, tying them to personal identity verification credentials.
“There is a significant population of federal employees that aren’t getting PIVs for good reasons and some not-so-good reasons,” Grassi said. “What are we giving them instead? We are giving them usernames and passwords. Why not give them easy-to-use, interoperable things?”
Darran Rolls, chief technology officer of Texas-based identity access management software company SailPoint, didn’t fully agree that passwords are completely useless. He said instead of devoting so much time to creating new standards, IT practitioners should devote resources to “appropriate management capabilities.”
“We look at authentication as the ‘silver bullet’ that is going to fix all of our problems, just like guarding the perimeter was going to save us from the bad guys,” Ross said. “Passwords aren’t evil, but they can be used for it.”
Part of that management, Rolls said, is making sure everyone understands what entropy means when it comes to crafting a password.
“Everyone should understand it. My mother understands it; I’ve taught her what it means,” he said. “A 12-character high entropy password stored with Scrypt — nobody can decrypt that.”
Furthermore, Rolls said more emphasis needs to be put on monitoring on how users are behaving once they log in to systems to better understand what bad behavior looks like when it’s occurring.
“We have to know who has access to a particular entitlement, what it means to have that entitlement, and when and how it should be appropriately used,” he said. “That means a lot more cataloging, a lot more inventory.”
Grassi conceded that the federal government was a step behind on that kind of behavioral authentication — as revealed by the hacks earlier this year at the Internal Revenue Service and Office of Personnel Management.
“There is some blocking and tackling we need to do better on,” he said. “If anybody did a scan of their user base, they would find excessive entitlements, someone who has been with an agency for 30 years who has the same access they had 30 years ago, whether they need it or not.”