The password paradox states that simple passwords are simple to remember but easy to break, but complex passwords that are difficult to hack are also difficult to remember. Is there a better way?
You know the situation. You go on holiday, have a great time, and the first day back in the laboratory you tell everyone about it, and then reality dawns. You must do some analysis. You go to your spectrometer system or the LIMS, try to log on and your mind goes blank..... What's my password? You have forgotten it! At this point it depends if your system is networked or not, but you either have to contact the IT help desk or an administrator, get your grovel pads out and beg for a password reset.
What will happen now is that you will get a one-time default password, that when you log on to the system, you will be forced to change it. Now comes your big test: navigating the minefield that is your organization's rules for password complexity. Your super holiday memories are now receding into the mists of time at warp factor nine.
Now we come face to face with the password paradox: easy to remember but easy to hack, and so on. To meet the rules, your new password must:
• be at least 8 characters long
• have at least three or all of the following:
- one upper case character
- one lower case character
- one number character
- one special character.
And you have to remember it!
Here goes: take the word "consultant" and convert it to meet your password rules into c0n5Ultan! There you go; it just rolls off your fingers as you type on the keyboard. The problem is remembering it. Here is where your pen hovers over an easily available piece of paper, ready to write it down and break at least three of your organization's additional rules on passwords.
Then, just to make your descent into password purgatory even more interesting, every 30, 60, or 90 days you must replace it, and you can't reuse an old one.
Passwords are a fact of life. Dumb and stupid passwords are also a fact of life. I was going to show you the most popular passwords from the hacked Ashely Madison web site as an example of poor password selection. However, this is a scientific magazine, and, as the editors would have redacted most of them, a more boring section of the top 20 stupid passwords of 2017 is displayed in Table I. You can imagine the cerebral effort that the owners of these passwords used in devising them.
The biggest issue with complex passwords is remembering them, so this is why they are written down by some users. As an auditor, I take great delight in turning over keyboards in the laboratory to see if there are any notes underneath with passwords written on them. Although, in some laboratories, my job is made immeasurably easier, as shown in Figure 1. Even better was a typed note on the keyboard of one instrument: Operator Password = 1111. The philosophical question that arises is, What idiots are employed here that need a written reminder for such a password?
Figure 1: How not to set up user accounts (2) (published with permission from the RSC).
Let us question the need for complex passwords and changing them regularly. Are both requirements absolutely essential? It appears that there is a whole IT security industry built on the premise that we need strong passwords that are changed at regular intervals. Operating systems, and many general as well as laboratory applications, have functions to ensure that these requirements are enforced rigorously.
We have password complexity rules, which are a pain to comply with. However, intrepid users have simple ways of meeting the password policies. We'll take an example from Table I: password.
Simple compliance, but easily broken. Hence the need for a directory of unacceptable passwords.
Consider the problem with passwords from an analyst's perspective. You want to do some spectroscopy, and you must log on to an instrument to do this, but verifying who you are is an activity that stands between you and the spectrometer. Logging on is a pain with complex passwords; essential for ensuring data integrity and data security, but still a pain. Implementation of a policy for complex passwords may lead to compromised security, as users are more likely to write down their complex passwords, or there is an increased number of calls to the IT Help Desk to reset locked accounts. The issue is compounded if a user needs to access multiple systems each with a different password; oh, joy. Hence the rise for networked applications of single sign-on, and only a single password to remember. Unfortunately, even with a single complex password, it is not easy to remember, and hence the unofficial workaround of writing it down.
However, approaches to passwords and their construction have changed. Enter stage left the NIST Information Technology Laboratory.
NIST is the National Institute of Standards and Technology, a U.S. government science facility that produces standards, reference materials and lots more besides (see www.nist.gov for more details). One of the divisions of NIST is the Information Technology Laboratory that is responsible for developing IT and cybersecurity standards for the U.S. government and its agencies. One of their outputs is via a series of NIST special publications 800 series (https://csrc.nist.gov/publications/sp).
In this column, I want to focus on a suite of standards under the esoteric title of n SP-800 63 Digital Identity Guidelines. This consists of the following documents:
You may be wondering what all this has to do with passwords. As you delve into the detail, you find some gems that help the password debate are contained in SP 800-63B (5).
SP 800-63B (5) presents three levels of Authenticator Assurance Level (AAL 1, 2 or 3). The higher the AAL, the better the capabilities and the greater the resources required to hack a computer. Therefore, risk of unauthorized access is reduced compared with a lower AAL or lesser effective protection.
As you can see, with passwords alone, we are down with the bottom feeders on AAL1. Don't despair, there are other factors to consider, such as physical security of your buildings and laboratories to mitigate the data security risk but not data integrity.
What does this NIST publication call a password? A memorized secret authenticator(MSA). Why make something simple, when you can make it complex? Don't worry, I'll refer to MSAs as passwords from now on.
A password is something that is known only to you, and is impractical for a colleague or hacker to guess (with the exceptions presented in Table I). Although the NIST SP 800-63B mentions that service providers can allocate you a secret password, I will only consider passwords that you can make up yourself.
This NIST Guide notes that:
Whoa! What happened to the complexity criteria that we listed earlier?
In Section 10.2.1, there are some usability criteria for passwords that are summarized in Table II. Some of these comments will cause apoplexy in many IT/IS departments, due to their being no complexity and no enforced password aging. You can almost hear the sacrifice of sacred cows in the background.
Appendix A of NIST SP 800-63B (5) is devoted to a discourse on passwords, and it notes that users are frustrated with having to remember complex passwords; this is compounded by our brain's limited ability to remember them. Hence the selection of simple, easy-to-guess passwords as shown in Table I. Of note, there are the following sentences:
The old criterion that password complexity is essential for computer security is not proven, and the sole requirement for computer security is password length so that passwords can be easily memorized. Allied to this is the need to avoid the use of commonly used passwords. As NIST SP800-63B notes apart from length "no additional complexity requirements are imposed" (5).
Each time a character is added to a password, the difficulty to crack it increases exponentially. For example, an 8-character password has 958 combinations (95 being the number of keys) and a 10-character password has 9510 combinations. However, this only applies on brute force attacks. Most of our laboratory systems in the laboratory should have a limit on the number of attempts before an account is locked.
The good news is that password complexity and aging are not essential elements for computer security as shown in NIST SP800-63B. Will corporate password policies change? The bad news is, probably not.
(1) K. Korosec, "The 25 Most Common Passwords of 2017 Include 'Star Wars'" (2017). http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/.
(2) R.D. McDowall, Validation of Chromatography Data Systems: Ensuring Data Integrity, Meeting Business and Regulatory Requirements (Cambridge: Royal Society of Chemistry, Cambridge, UK, 2nd Ed., 2017).
(3) P.A. Grassi, M.E. Garcia, and J.L. Fenton, NIST Special Publication 800-63-3 Digital Identity Guidelines (National Institute of Science and Technology, Gaithersburg, Maryland, 2017).
(4) P.A. Grassi and J.L. Fenton, NIST Special Publication 800-63A: Digital Identity Guidelines Enrollment and Identity Proofing Requirements (National Institute of Science and Technology, Gaithersburg, Maryland, 2017).
(5) P.A.Grassi, J.L. Fenton, E.M. Newton, R.A. Perlner, A.R. Regenscheid, W.E. Burr, and J.P. Richer, NIST Special Publication 800-63B: Digital Identity Guidelines Authentication and Lifecycle Management (National Institute of Science and Technology, Gaithersburg, Maryland, 2017).
(6) P.A.Grassi, J.P. Richer, S.K. Squire, J.L. Fenton, and E.M. Nadeau, NIST Special Publication 800-63C: Digital Identity Guidelines Federation and Assertions (National Institute of Science and Technology, Gaithersburg, Maryland, 2017).
R.D. McDowall is the Director of RD McDowall Limited and the editor of the "Questions of Quality" column for LCGC Europe, Spectroscopy's sister magazine. Direct correspondence to: SpectroscopyEdit@ubm.com