Passwords are an essential cybersecurity tool. Unfortunately, some long-standing password practices recommended by regulators and standards organizations may encourage risky behaviour. Regulators and standards organizations have recently issued updated guidance recommending simplified password practices (e.g. no mandatory regular password changes) to increase password security. Canadian organizations should assess and improve their password practices in light of updated best practices guidance.
The Problem – Risky Behaviour
The proliferation of password use and complex password requirements can inadvertently encourage password practices (e.g. using passwords that are easy to guess, using simple and predictable password creation strategies, re-using the same password for multiple business and personal accounts and keeping insecure records of passwords) that present significant cybersecurity risks.
Password reuse can be a particularly significant problem. For example, an employee’s use of the same or similar passwords for both business and personal accounts can allow a cybercriminal to use a compromised personal account password to gain access to the employee’s business network account and possibly the entire network. Similarly, a customer’s use of the same or similar passwords for multiple online accounts can allow a cybercriminal to use a compromised password for an online account to gain access to the customer’s other online accounts. A July 2017 survey found that 81 percent of Americans (and 92 percent of millennials) surveyed use the same password for multiple online accounts, and more than a third (36 percent) use the same password for 25 percent or more of their online accounts.
Guidance – Password Best Practices
Regulators and standards organizations in various jurisdictions have issued helpful guidance regarding password practices to improve security and protect privacy. Many of the recommendations are based on recent research and lessons learned from cyber incidents. Following is a summary of some of the guidance.
1. Password Composition Rules
The practice of requiring passwords that are comprised of obscure characters, capital letters and numbers and are changed regularly has been attributed to the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 Electronic Authentication Guideline (2004). According to a recent Wall Street Journal article titled The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!, one of the authors of the Authentication Guideline has acknowledged that the password guidance has been shown to be “largely incorrect”.
In June 2017, NIST issued new guidance for authentication processes in Special Publication 800-63 Digital Identity Guidelines. The Guidelines recommend allowing long passwords comprised of any characters (including spaces) and without any other composition rules (e.g. mandatory combinations of different character types), so that individuals can use hard to guess passphrases. The Guidelines also recommend authentication processes be designed to reject proposed passwords that are commonly used, expected or compromised.
Guidance issued by the U.K. National Cyber Security Centre (NCSC) (e.g. Password Guidance: Simplifying Your Approach, Helping end users to manage their passwords and Password guidance summary: how to protect against password-guessing attacks) recommends a dramatic simplification of password practices at a system level.
2. Mandatory Password Changes
Mandatory, regular password changes are a common practice that was recommended in the original NIST Electronic Authentication Guideline. However, recent guidance recommends against mandatory, regular password changes.
Since at least 2016, NCSC has recommended against mandatory, regular password changes. Various guidance documents (e.g. Password guidance summary: how to protect against password-guessing attacks and The problems with forcing regular password expiry) and blog posts (e.g. Your password expiry policy may have reached its expiry date) explain that mandatory, regular password changes may harm rather than improve security, because individuals who are required to regularly change passwords often choose passwords that are weak or used elsewhere.
Similar views were expressed by the U.S. Federal Trade Commission’s Chief Technologist in the 2016 article Time to rethink mandatory password changes. The recently issued NIST Special Publication 800-63B Digital Identity Guidelines (2017) also recommend against mandatory, regular password changes.
3. Privacy Considerations
The Privacy Commissioner of Canada’s Guidelines for Identification and Authentication provide guidance for identification and authentication practices that comply with Canadian personal information protection laws. The Privacy Commissioner of Canada’s July 2017 News Release provides guidance for password practices. The Privacy Commissioner of Canada’s Self-Assessment Tool sets out helpful questions an organization may use to assess its password and authentication practices.
4. Password Reuse
The Privacy Commissioner of Canada’s July 2017 News Release explained that it had received several reports of data breaches resulting from the use of valid customer or employee passwords obtained from previous, unrelated breaches. The Privacy Commissioner warned: “There’s a simple way for individuals to prevent these types of password reuse breaches: Don’t reuse passwords”. The Privacy Commissioner of Canada’s Tips for mitigating password reuse risk provides guidance to help reduce password reuse by employees and customers.
5. Increased Risk Scenarios
Best practices guidance (e.g. NCSC’s Password Guidance: Simplifying Your Approach) emphasizes that enhanced-security password practices (e.g. technological measures such as multifactor authentication) should be used for high value or high-risk users (e.g. senior executives or individuals with administrator privileges) or in high-risk situations (e.g. remote access to networks).
Canadian organizations should assess and improve their password practices in light of current best practices guidance issued by regulators and standards organizations. In particular, organizations should: (1) consider simplifying their password practices (including no longer imposing password composition rules or requiring mandatory password changes) and using technology and user education to discourage or prevent risky behaviour (e.g. password reuse) and increase password security; (2) use enhanced-security password practices (including multifactor authentication) in high-risk scenarios; and (3) ensure that their password practices comply with personal information protection and privacy laws.
Read more here.