[email protected] follies

September 5th, 2017

I have a piece in Crikey (reproduced over the fold) under the title ‘Our spy agencies know less about cybersecurity than the Daily Mail‘.

The central point is that our leading cybersecurity agency, the Australian Signals Directorate, has just rolled out a policy requiring users of government agency websites to change their passwords every 90 days and to use composition rules based on a mix of alphanumeric and special characters. As even the Daily Mail has pointed out, these practices are thoroughly discredited, to the point where the expert responsible for them has publicly recanted.

I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and must contain a mixture of alphanumeric and special characters (this is called a composition rule)

You don’t need to be a cybersecurity expert to know that this is nonsense. Cartoons like xkcd have been mocking special character passwords for years. As is well known, a long, but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter [email protected] with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy.

The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST) came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.” To quote an the Sophos security site “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack”

Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a week ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.

I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password). But, lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.

So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that their security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.

Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter. The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan ‘Reveal their secrets, protect our own’).

In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300 page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.

Given that ASD is our representative in the ‘Five Eyes’ Anglospheric intelligence agreement, I would have expected them to have access to the best available advice from the US. But apparently, they don’t even read the trade press.

I haven’t read the rest of the manual, and wouldn’t be qualified to assess it in any case. But if the agency responsible for our national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to ‘reveal their secrets’.

Categories: Boneheaded stupidity Tags:
  1. Newtownian
    September 5th, 2017 at 10:27 | #1

    Do they (or you) have any suggestions on how to deal with another dimension to this problem, the need for multiple different passwords and the need for a secure method for how to store them.

    Memorizing all of one’s passwords and their changes is becoming a nightmare which makes internet access extremely problematic. The more secure a password the harder it is to memorize.

    And how should you store them in a readily accessible form? On your phone?! In one of these protected password stores in the [email protected]@##$$%. In a [email protected]

    Help welcome.

  2. Magnesium
    September 5th, 2017 at 10:34 | #2

    The controls in question are these:

    Control: 0421; Revision: 4; Updated: Apr-15; Applicability: UD, P, C, S; Compliance: must; Authority: AA
    Agencies using passphrases as the sole method of authentication must enforce the following
    passphrase policy:
    • a minimum length of 13 alphabetic characters with no complexity requirement; or
    • a minimum length of 10 characters, consisting of at least three of the following
    character sets:
    – lowercase alphabetic characters (a–z)
    – uppercase alphabetic characters (A–Z)
    – numeric characters (0–9)
    – special characters.

    Control: 0422; Revision: 4; Updated: Apr-15; Applicability: TS; Compliance: must; Authority: AA
    Agencies using passphrases as the sole method of authentication must enforce the following
    passphrase policy:
    • a minimum length of 15 alphabetic characters with no complexity requirement; or
    • a minimum length of 11 characters, consisting of at least three of the following
    character sets:
    – lowercase alphabetic characters (a–z)
    – uppercase alphabetic characters (A–Z)
    – numeric characters (0–9)
    – special characters

  3. derrida derider
    September 5th, 2017 at 11:08 | #3

    Fair go, John. How are the security authorities supposed to ensure you are not a terrorist, asylum seeker, environmentalist or other undesirable if they can’t make your accounts insecure so they can crack them?

  4. Tom Davies
    September 5th, 2017 at 11:55 | #4

    Here’s a very good article on password rules https://blog.codinghorror.com/password-rules-are-bullshit/

  5. Tom Davies
    September 5th, 2017 at 11:58 | #5

    @newtonian I use 1password, in the cloud, so I only need to remember one password.

    I also authenticate via my google account (or even Facebook) when it is offered, to avoid creating yet another password.

  6. Paul Foord
    September 5th, 2017 at 12:38 | #6

    Password managers, where you only have to break one password. And if you do use one, is disclosing which manager you use making you less secure?

  7. raoul
    September 5th, 2017 at 18:30 | #7

    That 90 day rule came from the PDP-8 minicomputer from the 60’s/70’s. They worked out the time it would take to brute force passwords and had people change passwords more frequently.

    For some reason this was taken at face value and due to auditors following standards blindly has stuck until just now.

  8. September 5th, 2017 at 22:23 | #8

    I’m no expert, but like Randall Munro’s thinking at xkcd. https://xkcd.com/936/

  9. Tom Davies
    September 6th, 2017 at 10:23 | #9

    Something just as important as having a strong password is to never reuse it — you will end up using it on a site which doesn’t hash its passwords (or has some other vulnerability which allows an attacker to recover plain text passwords) and the attacker will use it on every other service out there. So the benefit of a password manager is that you never need to reuse passwords.

    Mitigating password reuse is an argument in favor of password expiry — your users may have used the same password on the system you are protecting and dodgy.com, but by the time the dodgy.com vulnerability is exploited, they have changed their password on your system.

    A password manager is a point of vulnerability, but it can be more secure than password stores on web apps — of course you shouldn’t reuse your password store password anywhere.

  10. Ikonoclast
    September 7th, 2017 at 17:36 | #10

    So, if I combine my two password methods, I should get really good passwords… and they are always recallable / reconstructable by me. Of course, I cannot say what these methods are. That would be telling.

    But I thought any agency worth its salt issued password keypads to staff? You key your password and then it gives you another password based on an encrypted algorithm. You use this password to enter a mainframe or secure site.

  11. Dan
    September 7th, 2017 at 18:00 | #11

    @Ikonoclast

    I’m sure there’s a German word for the fact that you know that agencies don’t do that but that they ought to and you are pointing out, with nose upturned and lip curled, the distance between where said agencies are and where they should be.

  12. Urbie
    September 7th, 2017 at 20:22 | #12

    I’d posit that governments and their security agencies have pursued this schema to ensure passwords are just strong enough to stop journalists and the like, but are weak enough for themselves to brute force attack.

  13. David Irving (no relation)
    September 9th, 2017 at 13:33 | #13

    My former employer has a “change your complex password every N days” policy (which, of course, means your password goes “[email protected]” *, “[email protected]”, … until you get back to your starting point). I’m nearing the end of a consulting gig back there, and was hoping I wouldn’t have to change my password – no such luck. The password expires about 2 days before the end of my contract. Dave has a sad.

    *Not my real password.

Comments are closed.