Week 3: User-Centric Password Policies
Strong password policies have long been a topic of debate in the information security community, with advocates of password policies that encourage strong passwords while still maintaining a good user experience gaining traction recently. The latest NIST guidance on memorized secrets adopts a user-centric approach, overturning previous requirements that levied a more onerous burden on users like mandatory complexity measures and mandatory recurring password changes.
These password policies were intended to reduce the likelihood of attackers successfully guessing user passwords and mitigate the impact of data breaches by limiting the duration attackers could re-use compromised credentials. However, both of these concerns are now addressed via other means: rate-limiting password attempts obviates the need for highly complex memorized secrets, and blacklisting passwords found in data breaches mitigates the impact of credential-stuffing attacks. The latter technique is particularly important given the prominence of attackers using stolen credentials in the latest Verizon breach report.
Both of these changes address the same set of root problems, and more importantly they do so by working with user experience in mind. The older techniques appeared to address security concerns, but because they didn't consider how users would react to the policy they ended up being less secure. For example, a decade ago researchers found that 41% of passwords in a real-world sample set could be trivially guessed if previous passwords for users were known. This is likely because users were trying to minimize their mental load while trying to meet password complexity requirements for different systems without needing to memorize completely new passwords for each account.
Keeping user experience and user behavior at the center of the security decision-making process isn't compromising security for usability, it is recognizing that at the end of the day security measures are more likely to achieve the intended effect if human factors work with instead of against the policy.
These password policies were intended to reduce the likelihood of attackers successfully guessing user passwords and mitigate the impact of data breaches by limiting the duration attackers could re-use compromised credentials. However, both of these concerns are now addressed via other means: rate-limiting password attempts obviates the need for highly complex memorized secrets, and blacklisting passwords found in data breaches mitigates the impact of credential-stuffing attacks. The latter technique is particularly important given the prominence of attackers using stolen credentials in the latest Verizon breach report.
Both of these changes address the same set of root problems, and more importantly they do so by working with user experience in mind. The older techniques appeared to address security concerns, but because they didn't consider how users would react to the policy they ended up being less secure. For example, a decade ago researchers found that 41% of passwords in a real-world sample set could be trivially guessed if previous passwords for users were known. This is likely because users were trying to minimize their mental load while trying to meet password complexity requirements for different systems without needing to memorize completely new passwords for each account.
Keeping user experience and user behavior at the center of the security decision-making process isn't compromising security for usability, it is recognizing that at the end of the day security measures are more likely to achieve the intended effect if human factors work with instead of against the policy.
Comments
Post a Comment