[Info-vax] Enhanced Password Management

gezelter at rlgsc.com gezelter at rlgsc.com
Fri Mar 22 09:49:51 EDT 2019 

On Thursday, March 21, 2019 at 1:25:53 PM UTC-4, lorin... at gmail.com wrote:
> On Wednesday, March 20, 2019 at 1:11:29 PM UTC-7, Stephen Hoffman wrote:
> > On 2019-03-20 19:36:35 +0000, Jan-Erik S  derholm said:
> > 
> > > Just got this from VSI:
> > > 
> > > "Thank you to those of you who downloaded and tested the Enhanced 
> > > Password Management software."
> > ...
> > > The minimum number of upper-case characters in a password
> > > The minimum number of lower-case characters in a password
> > > ...
> >...
>  
> > More generally, it's interesting to see VSI headed away from what US 
> > NIST and other recent recommendations suggest for password composition.
> > 
> > "Verifiers SHOULD NOT impose other composition rules (e.g., requiring 
> > mixtures of different character types or prohibiting consecutively 
> > repeated characters) for memorized secrets. Verifiers SHOULD NOT 
> > require memorized secrets to be changed arbitrarily (e.g., 
> > periodically). However, verifiers SHALL force a change if there is 
> > evidence of compromise of the authenticator."
> > ...
> > -- 
> > Pure Personal Opinion | HoffmanLabs LLC
> 
> +1 on all of this, Hoff, thanks.
> 
> Some of you may recall or attended a session I gave at the last Boot Camp (in 2017?, has it really been this long since our last BC-get-together?) on this very topic.  AFAIR, that first-session after the keynote was a pretty full room (to my surprise), with several VSI engineers in attendance.  I reviewed the then-newly revised NIST guidelines, emphasizing that these revisions were acknowledged publicly by NIST people as a complete about-face on any/all previous recommendations wrt password complexity and expirations.  I also made some modest suggestions/recommendations on the way forward, especially regarding obsolete corporate "Security Policy."
> 
> At that time, VSI had hired an experienced security guy (Darrell?) who "got it" too... a couple of months later, he was gone already.  Didn't seem to bode well for modernizing security awareness in a future version of VMS.  That they're continuing "The minimum number of..." line of thinking seems to indicate either entrenched thinking or too much to do -- especially in light of contemporary, objective evidence that password complexity and expiration rules not only don't work, but aggressively weaken security, giving the bad actors yet another predictable and well-know attack vector.  Engineering's continued focus on pwd-complexity is not just "interesting," it's misdirected, false security theater, a waste of time, and just plain wrong.
> 
> Troy Hunt's cloud resource https://haveibeenpwned.com came to light in the months since that Boot Camp presentation.  I've written, for my own amusement, a proof-of-concept script (Ruby) that checks new password candidates against that online corpus, rejecting even otherwise "strong" passwords if their hash is found to have been already compromised.
> 
> VMS Engineering would do well to refocus their efforts to have SET PASSWORD do the same online checking (don't download the corpus into a local check-it dictionary, as the reference instance gets updated with new breach data on an as-needed basis) rather than messing around with obsolete complexity rules and other such presumptive "fixing."
> 
> Wrt obsolete "corporate security policy," here's an approach:  Invite your corporate attorney to lunch (or something), and during conversation, casually introduce the phrases "corporate security breach" and "security liability".  That last word is lawyer-important, and will get their attention.  When s/he stops freaking out, let 'em know that you can help, that you'd like their full support in reconvening "the Security Committee," under your chairmanship, to review and update the password policy portion (at least).  Then --> go do the work.  Don't wait for "them" (the company at large) to come to their senses on this -- "they" won't.  It will take informed, experienced technical leadership to make any dent in the corporate political obsolescence that pervades our country and the world.
> 
> Just a thought...
> respectfully,
> -- Lorin

Lorin,

+5. I always mention getting on good terms with counsel in my security talks.

Ironically, even major organizations have been switching to the outdated policy guidelines. Just the other month, one of the major banks I do business with started enforcing password expirations.

As Doug Gordon has mentioned elsewhere, government agencies (and auditors) are far from blameless in this regard.

I would suggest that if forced to use the old guidelines, one should consider writing an appropriate memorandum, with the current NIST guidelines physically attached, for protection. In the event of a legal problem, having done the change under protest. With auditors, one is almost always in a position to object to findings and recommendations.

- Bob Gezelter, http://www.rlgsc.com

More information about the Info-vax mailing list