The Center for Internet Security just updated their Password Policy Guide as a template for organizations to use as their own. The CIS announcement start out with at this seemingly innocuous sentence, “Love them or hate them, but passwords have undeniably been a time-tested and imperfect method for user authentication that can protect organizations from cyber-attacks if used correctly.”
Leaving aside the strange syntax and questionable grammar, this sentence encapsulates what is wrong with the username/password paradigm.
- We have only encountered a handful of actual people who LOVE passwords. Sadly, we have encounter even fewer people who uses them “correctly”. While it is easy to P@ssw0rd_sH@me users, it is humanly impossible to remember a unique username and password combination for hundreds of different apps, sites and services.
- Time-tested and imperfect methods for user authentication is a strange way of saying repeatedly failed.
- that can protect organizations from cyber-attacks if used correctly is fundamentally an admission that your organization’s cyber security is dependent on rigorous adherence to moderns hacks designed to use a 5,000 year old paradigm to provide fundamental security for the digital age.
Remodeling a House of Cards
CIS codifies their best practices into three password creation bullet points which are supposed to make using them easier and more secure. And then pretends that ANYONE is actually doing it this way.
- Use “passphrases” instead of passwords — Length is the most important aspect of a good password. However a single long word is not only difficult to remember, it’s also difficult to spell. A passphrase containing a number of words, such as CapeCodisaFunPlace, is both easier to remember and harder to crack.
- Don’t use words related to your personal information — Avoid things that attackers can look up about you on the internet. If you are the president of the local Mustang car club, you shouldn’t use “Mustang” as a password.
- Limit using dictionary words: In general, the way adversaries attack passwords is by trying various combinations of words in the dictionary first. This is a lot of words, but a lot fewer than trying all the possible letter combinations. Use non-dictionary alternatives for passphrases, for example: Th3F0rdMust@ngis#1