The Center for Internet Security just updated their Password Policy Guide as a template for organizations to use as their own. The CIS announcement start out with at this seemingly innocuous sentence, “Love them or hate them, but passwords have undeniably been a time-tested and imperfect method for user authentication that can protect organizations from cyber-attacks if used correctly.”  

Leaving aside the strange syntax and questionable grammar, this sentence encapsulates what is wrong with the username/password paradigm.

  1. We have only encountered a handful of actual people who LOVE passwords. Sadly, we have encounter even fewer people who uses them “correctly”. While it is easy to P@ssw0rd_sH@me users, it is humanly impossible to remember a unique username and password combination for hundreds of different apps, sites and services.
  2. Time-tested and imperfect methods for user authentication is a strange way of saying repeatedly failed.
  3. that can protect organizations from cyber-attacks if used correctly is fundamentally an admission that your organization’s cyber security is dependent on rigorous adherence to moderns hacks designed to use a 5,000 year old paradigm to provide fundamental security for the digital age.

Remodeling a House of Cards

CIS codifies their best practices into three password creation bullet points which are supposed to make using them easier and more secure.  And then pretends that ANYONE is actually doing it this way.

  • Use “passphrases” instead of passwords — Length is the most important aspect of a good password. However a single long word is not only difficult to remember, it’s also difficult to spell. A passphrase containing a number of words, such as CapeCodisaFunPlace, is both easier to remember and harder to crack.
  • Don’t use words related to your personal information — Avoid things that attackers can look up about you on the internet. If you are the president of the local Mustang car club, you shouldn’t use “Mustang” as a password.
  • Limit using dictionary words: In general, the way adversaries attack passwords is by trying various combinations of words in the dictionary first. This is a lot of words, but a lot fewer than trying all the possible letter combinations. Use non-dictionary alternatives for passphrases, for example: Th3F0rdMust@ngis#1
The Guide also includes the recommendation that administrators Use Multi-Factor Authentication (MFA) — sometimes referred to as Two-Factor Authentication (2FA), allows the user to present two, or more, pieces of evidence when logging in to an account.
While MFA certainly can enhance security, it is impossible for security professional (or actually uses the Internet) to take agree with either  “MFA is the most secure user authentication method available on the market today” or that it “has minimal impact on usability”.  
At first glance, these guidelines seem like useful steps to improve password usability and security. In fact, they serve to preserve reliance on a broken paradigm which continually frustrates users while putting organizations at risk of a variety of digital attacks.
The only defensible recommendation CIS provides is that organizations should provide and support password managers.  This is a step forward in that it admits following username/password is standards is beyond the capability of human beings but sadly it is a step in the wrong direction; if we need to embrace a software solution for authentication then we shouldn’t be embracing buggy whips.