[Info-vax] Enhanced Password Management

Thu Mar 21 13:25:50 EDT 2019

On Wednesday, March 20, 2019 at 1:11:29 PM UTC-7, Stephen Hoffman wrote:
> On 2019-03-20 19:36:35 +0000, Jan-Erik S  derholm said:
> 
> > Just got this from VSI:
> > 
> > "Thank you to those of you who downloaded and tested the Enhanced 
> > Password Management software."
> ...
> > The minimum number of upper-case characters in a password
> > The minimum number of lower-case characters in a password
> > ...
>...

> More generally, it's interesting to see VSI headed away from what US 
> NIST and other recent recommendations suggest for password composition.
> 
> "Verifiers SHOULD NOT impose other composition rules (e.g., requiring 
> mixtures of different character types or prohibiting consecutively 
> repeated characters) for memorized secrets. Verifiers SHOULD NOT 
> require memorized secrets to be changed arbitrarily (e.g., 
> periodically). However, verifiers SHALL force a change if there is 
> evidence of compromise of the authenticator."
> ...
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

+1 on all of this, Hoff, thanks.

Some of you may recall or attended a session I gave at the last Boot Camp (in 2017?, has it really been this long since our last BC-get-together?) on this very topic.  AFAIR, that first-session after the keynote was a pretty full room (to my surprise), with several VSI engineers in attendance.  I reviewed the then-newly revised NIST guidelines, emphasizing that these revisions were acknowledged publicly by NIST people as a complete about-face on any/all previous recommendations wrt password complexity and expirations.  I also made some modest suggestions/recommendations on the way forward, especially regarding obsolete corporate "Security Policy."

At that time, VSI had hired an experienced security guy (Darrell?) who "got it" too... a couple of months later, he was gone already.  Didn't seem to bode well for modernizing security awareness in a future version of VMS.  That they're continuing "The minimum number of..." line of thinking seems to indicate either entrenched thinking or too much to do -- especially in light of contemporary, objective evidence that password complexity and expiration rules not only don't work, but aggressively weaken security, giving the bad actors yet another predictable and well-know attack vector.  Engineering's continued focus on pwd-complexity is not just "interesting," it's misdirected, false security theater, a waste of time, and just plain wrong.

Troy Hunt's cloud resource https://haveibeenpwned.com came to light in the months since that Boot Camp presentation.  I've written, for my own amusement, a proof-of-concept script (Ruby) that checks new password candidates against that online corpus, rejecting even otherwise "strong" passwords if their hash is found to have been already compromised.

VMS Engineering would do well to refocus their efforts to have SET PASSWORD do the same online checking (don't download the corpus into a local check-it dictionary, as the reference instance gets updated with new breach data on an as-needed basis) rather than messing around with obsolete complexity rules and other such presumptive "fixing."

Wrt obsolete "corporate security policy," here's an approach:  Invite your corporate attorney to lunch (or something), and during conversation, casually introduce the phrases "corporate security breach" and "security liability".  That last word is lawyer-important, and will get their attention.  When s/he stops freaking out, let 'em know that you can help, that you'd like their full support in reconvening "the Security Committee," under your chairmanship, to review and update the password policy portion (at least).  Then --> go do the work.  Don't wait for "them" (the company at large) to come to their senses on this -- "they" won't.  It will take informed, experienced technical leadership to make any dent in the corporate political obsolescence that pervades our country and the world.

Just a thought...
respectfully,
-- Lorin