‘Managing’ passwords doesn’t make them less unsafe

In his newsletter last week my colleague M.E. Kabay points us to a draft release of a new paper from the National Institute of Standards and Technology (NIST) called the “Guide to enterprise password management.” Maybe next they’ll draft guidelines for the proper use of buggy whips!

To their credit, the authors (identified as Karen Scarfone and Murugiah Souppaya) do begin with this caveat: “Organizations should be aware of the drawbacks of using password-based authentication. There are many types of threats against passwords, and most of these threats can only be partially mitigated.” Well, duh!

They immediately go on to say “although the existing mechanisms for enterprise password management can somewhat alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents because they permit access to many systems through a single authenticator.” Well, yeah, but only if you institute Single Sign-On (SSO) as part of the “enterprise password management” system. But password management doesn’t – and shouldn’t – require an SSO component unless it’s protected by either a multifactor authentication system or, at least, something stronger than a username/password login. In fact, I’d go so far as to say that the use of an enterprise-wide SSO system should require multifactor authentication.

To their credit, the authors immediately add “…organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.” If I were editing, I’d remove that last phrase (“for resources with higher security needs”).

What follows in the NIST paper are thirty pages of password history, a review of password threats, password creation policy, and a thorough review of available password management technology. While it makes for interesting reading (from a historical and cultural perspective), it – to me – is like the United States Environmental Protection Agency (EPA) publishing a paper on managing coal-fired furnaces for electrical generation.

“Managing” a technology doesn’t make it a less unsafe technology.

Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

There is one way I could countenance passwords (but only passwords that bear the same relationship to traditional choices – dog’s name, street name, etc.), Gigabit Ethernet has to be the “traditional” Carrier Sense Multiple Access with Collision Detection (CSMA/CD – 10 megabit ethernet) I was installing 20 years ago. We’ll talk about that next time.