Passwords are the foundation upon which much of modern IT security is built, and what better day to discuss the topic than World Password Day, an event which occurs on the first Thursday of May every year. World Password Day is a day in which companies around the world post blogs with advice, sometimes questionable, the obligatory XKCD comic and talk about the importance of Multi-Factor Authentication (MFA). At Juniper Networks, we thought instead we'd have "the talk" about the foundation of password protection as a foundation of security itself.
The only constant is change
Microsoft very publicly stated the decision to change their default stance – and advice – regarding password reset requirements; in short, Microsoft has reviewed the past two decades of research about the utility of forced password resets and decided the time has come to abandon them. This is a big move, for a number of reasons, not all of them obvious.
Password reset requirements were drilled into at least two generations of systems administrators and information security practitioners as gospel. In making this change – any change – Microsoft will inevitably anger those individuals who firmly believe in the password advice from the 80s and 90s.
Another risky aspect of this move is that password reset requirements are codified in several regulatory compliance schemes and Microsoft operates in virtually every regulated environment. To be clear: Microsoft's change is to the default settings regarding passwords; administrators will still be able to force password resets in order to meet regulatory requirements, however, they will now have to actively configure these requirements on Windows. And Microsoft will be the last vendor to make this move.
Industry experts have agreed for decades now that frequently changing passwords is a bad idea and this advice is finally penetrating regulatory bodies. Even the individual who came up with the idea has disavowed it.
Microsoft making changes to their defaults before all the major regulatory bodies have caught up to this fact and changed their requirements is significant. Not all vendors will feel they can make the same choice, especially on all products. Vendors are often constrained by the regulatory environments in which their products regularly operate, although Microsoft's move is likely to prompt numerous conversations.
The other big move in the password space recently has been the introduction of WebAuthn. WebAuthn brings with it a new approach to using biometrics – such as a fingerprint or a facial recognition scan – in place of a password. To say that WebAuthn is highly controversial within the information security community would be a significant understatement.
While WebAuthn is often portrayed as a straight replacement of passwords by biometrics, it isn't quite that simple. It is effectively a standard which turns a given device into a password manager. Instead of logging in to a website, one's device would store the password and fill it when required.
Authorizing the device to fill in the password is where the biometrics come in. WebAuthn allows devices to use any number of methods to authorize filling out a website's login information from stored local credentials. These methods can include entering the device's password, unlock pattern or using biometrics.
People are bad at passwords. This is just a fact of life and it is why password managers are an absolute necessity in the modern world. Because people are bad at passwords, there are regularly attempts to do away with them, and to date, these have all ended up the same way.
One of the basic principles of modern IT security is that you want to combine something you have with something you know. This way, nobody can break into your accounts easily. They would have to steal the something you have, and find out the something you know. This is why, for example, the Chip and Pin scheme used for debit and credit cards is generally considered much more secure.
Biometrics are something you have, and they can be stolen just as easily as someone can steal your credit card. Replacing passwords (something you know) with biometrics (something you have) is the source of much (but not all) of the controversy.
With WebAuthn, users who have configured their devices to unlock using biometrics could also be configuring those same devices to allow passwords to be automatically filled out on websites using that same biometric. Defeating even the best consumer biometrics is something a 10-year-old can do and it gets easier every year.
If the debate over password resets and complexity requirements is slowly winding down in the face of decades of evidence, the debate over the appropriate place for biometrics is only beginning. Biometrics are convenient, but they are a more natural replacement for usernames (something you have) than passwords (something you know).
Convenience and security have always been opposite ends of the same spectrum and that is not going to change. What is changing, however, is our understanding – as an industry, even if not as individuals – that computers are simply too new for us to know yet what the best approaches to securing them are. Computer-based information security has only been a field for a few decades and that simply isn't enough time to explore all the many and varied ways in which it can be done wrong. The balancing act between convenience and security means we'll keep trying new approaches for the foreseeable future.
On World Password Day, we aren’t necessarily offering specific advice about which approaches to passwords you should take, and which you should avoid. Instead, we advise engaging in the discussion itself.
Examine your approaches to authentication with an open mind. Explore emerging technologies. Become aware of your regulatory requirements and talk to both your IT practitioners and your employees about their feelings on the debate.
Education, awareness and choosing solutions to the problem that meet the needs of the individuals that must use them are the key. With nearly eight billion people on the planet, it is highly unlikely that one approach to information security will fit all. So sit down together and have “the talk”. It's time.