Password complexity and authentication has always been a subject of contention both for users and system administrators. Many assume that forcing users to create more complex passwords, and changing them frequently, will lead to greater system safety - in theory this may be true. Given human nature, things rarely go as planned and research has shown that forcing users to comply with these additional requirements has actually had a detrimental effect on system security.
To chat more about this subject, we sat down with some of our Risk, Security, and Privacy team to answer some important questions about security and passwords today.
1. You both do a lot of work providing advisory services to our clients. In a couple of weeks you are speaking at the PCI Community meetings, both in Las Vegas and then in London. Can you help us understand what’s wrong with the way most organizations handle authentication in payment systems?
Rob Harvey - That’s a great question – and what’s so important is that it's often an unasked question. The PCI Council has done a great job providing guidance to organizations and putting measures in place to ensure secure storage of payment information. However, things change so quickly in this industry and what worked before, doesn’t always work today. I think there are two major issues with how authentication is handled in most payments systems today:
Password databases are easily cracked. These databases hold some of the most critical information and unfortunately it is far too easy to crack them. When systems store passwords, they generally store them in a hashed/encrypted method – not in plain text. Then when you login it is hashed using the same method, the system compares the hashes and makes sure you have input the right password. This is meant to protect authentication information in the event of a breach. Unfortunately, many current hashing algorithms are designed for speed and data integrity, not overall protection, so it isn’t difficult to crack passwords through a brute force attack.
We’ve made it too complex. Until recently developers have wanted users to make passwords more complex so it takes hackers longer to crack passwords. It’s not bad logic, but it doesn’t take into account the reality of human psychology and that it’s people who have to remember the passwords they’ve created. There has been a lot of research done that shows that users create passwords in a very predictable manner (P@ssw0rd!). Hackers can take advantage of these patterns, which in turn makes these complexity requirements actually decrease security. And that complexity just makes users frustrated, so they do insecure things like reuse passwords or write them down, all the while unintentionally making our security efforts less effective. The bottom line is that user frustration often leads to reduced security.
2. So if we are still having password security issues, how do we get users to create passwords that are hacker-proof but easy to remember? Is it even possible?
Adam Kehler -
Passwords will never be hacker-proof, but the good news is we can make the information that is protected with passwords more secure across the board. Perhaps the best news is that it’s not quite as daunting of a process as you might think.
I recommend that the first things our customers do is look at the usability of the systems and the manner they request and ask for user-generated passwords. I like what Rob just said, frustrated users leave systems open to insecure behavior – so let’s make it better for them and reduce the risk that they will choose an insecure option. Research shows that making systems more intuitive and user-friendly results in stronger passwords. And while user training and awareness is important – it really isn’t the complete answer; we need to design systems that have the right amount of authentication security for the right users and make those systems intuitive and easy to use from the time a user signs up, to the times when they forget or lose their password.
Password security shouldn’t be a user burden, it should be a system burden. Systems should have security built in and users shouldn’t have to worry about it as much. We need to design systems that take the burden off the user for creating passwords that are more resistant to cracking.
3. So later this month you both are speaking at the PCI Community meetings on this topic. I know one of the things you are passionate about is bringing some of the NIST best practices into the PCI approach. Can you shed a bit of light on how NIST and PCI compare to each other and other standards when it comes to password complexity requirements?
Rob Harvey
- There are some fundamental differences with NIST and PCI that have a big impact on password storage. At the risk of oversimplifying you can think of it this way: PCI is focused on complexity, not usability; NIST SP 800-63B is focused on storage and usability and then there are other standards like HIPAA/ISO/SOC that are not prescriptive but take a risk-based approach. Both PCI and NIST 800-63B Standards use a risk-based multi-factor authentication approach.
Adam Kehler - It is difficult to comply with compliance requirements like PCI, when other compliance requirements like HIPAA, ISO, etc. have their own standards that have to be followed in addition to them. Fortunately, many of the standards such as PCI aren’t quite as prescriptive as you may think when you first read them. We’re looking forward to discussing these types of issues at the meetings.
We’d love to hear your thoughts on password complexity and authentication and strategies your organizations are using to ensure users are properly authenticated. Please feel free to send us a note. And if you’re going to be at either of the PCI Community meetings, be sure and come and say hello. We’d love to talk to you!