Get ready to be bombarded with “May the Fourth be with you” puns regarding your passwords and identity, as this year May 4 is not only Star Wars Day but also World Password Day.
Leading up to World Password Day, I received dozens of emails about how bad our password hygiene still is, studies about poor password management, reminders to change passwords, pitches about password managers and biometric options to replace passwords, reminders to use multi-factor authentication (MFA) as well as the standard advise for choosing a stronger password. Some of that advice contradicts NIST-proposed changes for password management.
Although NIST closed comments on for its Digital Identity Guidelines draft on May 1, VentureBeat highlighted three big changes. Since this is NIST and changes to password management rules will eventually affect even nongovernment organizations and trickle down to affect pretty much everyone online, it’s important to look at them. Those changes, according to VentureBeat, boil down to:
No more periodic password changes. No more imposed password complexity. Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.
Right now, NIST is working on developing SOFA-B Framework; that is short for the project’s full mouthful of Strength of Function for Authenticators – Biometrics. It will establish a standardized method for comparing and combining authentication mechanisms and “focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate, and Effort.” By creating SOFA-B, NIST hopes to “achieve a level of measurability similar to that of entropy for passwords.”
Working with the biometrics community, NIST has a five-step approach to creating the SOFA-B framework:
1. Analyzing the attack points of a biometric system
2. Requiring baseline security to mitigate common attacks
3. Quantifying factors specific to biometric systems
4. Differentiating attack types as random attacks or targeted attacks on a known user
5. Measuring strength of function for biometric authenticators
Why should you care? Because the basis for biometric updates in SOFA-B has worked its way into NIST SP 800-63-3, aka NIST’s Digital Identity Guidelines draft. When it’s done, you might be able to compare the biometric security in one device, say a smartphone, to another.
We’ve been hearing that passwords are dead for years, yet for most people wanting to log in on most places online, you still use a username and password—or sign in via another site such as Facebook or Google where you were authenticated via username, password and hopefully 2FA.
Most everyone knows that, as a whole, people suck at setting up strong passwords and changing default passwords. In fact, according to the latest Verizon Data Breach Investigation Report, “80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.” Furthermore, the report states, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.”
Under the discussion of breach trends in Verizon’s DBIR, it states:
Even if you are not breached, there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised. Again, if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned. Those are two things you shouldn’t have to worry about.
Although a basic username/password login is not enough, despite what some of the pitches claim, I can’t imagine this will be the last World Password Day. So, have a care about your passwords as they are the key to open the door to your online life, business secrets or even networks. I encourage you to use a password manager and to set up 2FA on every site that offers it. Don’t forget to change those shared passwords for online streaming sites either!
Happy Star Wars Day, as well as World Password Day!