Nov 12 2015

NIST Considers Dropping Use of Passwords

Protecting information with something that can be easily attacked and decoded isn’t really protection.

Passwords are supposed to be a safeguard, a shield that keeps sensitive information from falling into the wrong hands. But passwords have become a liability, with hackers targeting them in cyberattacks. That is why the National Institute of Standards and Technology is considering an authentication-related tweak to its reference guide.

The agency may eliminate password entropy requirements outlined by the NIST electronic authentication guide 800-63, FedScoop reports. NIST is limiting password access to low-risk assets and is debating whether to permanently terminate passwords because they’re what Paul Grassi, senior standards and technology advisor for the agency’s National Strategy for Trusted Identities in Cyberspace program, calls a “vulnerability.”

“You want to make recommendations that actually eradicate passwords as much as possible and get it to where it belongs: to protect worthless data and as a simple way to gain access to something you’ve been to before, then push the rest of services to two-factor [authentication],” Grassi told FedScoop.

This reinforces the idea that passwords are little more than fences that can be scaled, cut through, or otherwise rendered useless.

Computer users who utilize the same password for multiple accounts or resort to easy-to-remember passwords should take the following into consideration: It’s nearly as easy to crack a password as it is to come up with one. NIST says that any 16-character, human-generated password has 30 bits of entropy, from which there are roughly 1 billion possibilities. Security Intelligence reports that certain password-cracking devices can test more than 300 billion passwords per second.

So what are the alternatives? Is the facial-recognition technology seen in Minority Report the answer? FIDO Alliance Executive Director Brett McDowell explained to FedScoop that authentication methods such as fingerprint- and iris-scanning technology would suffice.

“You don’t type anything in and it’s much more secure because it doesn’t have the vulnerabilities associated with phishing or the execution environment with malware,” McDowell said.

Grassi added that the federal government has shown interest in these upgraded authentication methods. After the OPM breach federal CIO Tony Scott sent an emphatic message about cybersecurity practices, and NIST and the rest of the government are clearly paying attention.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT