I have a piece in Crikey (reproduced over the fold) under the title ‘Our spy agencies know less about cybersecurity than the Daily Mail‘.
The central point is that our leading cybersecurity agency, the Australian Signals Directorate, has just rolled out a policy requiring users of government agency websites to change their passwords every 90 days and to use composition rules based on a mix of alphanumeric and special characters. As even the Daily Mail has pointed out, these practices are thoroughly discredited, to the point where the expert responsible for them has publicly recanted.
I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and must contain a mixture of alphanumeric and special characters (this is called a composition rule)
You don’t need to be a cybersecurity expert to know that this is nonsense. Cartoons like xkcd have been mocking special character passwords for years. As is well known, a long, but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter p@ssw0rd123456 with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy.
The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST) came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.” To quote an the Sophos security site “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack”
Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a week ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.
I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password). But, lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.
So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that their security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.
Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter. The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan ‘Reveal their secrets, protect our own’).
In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300 page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.
Given that ASD is our representative in the ‘Five Eyes’ Anglospheric intelligence agreement, I would have expected them to have access to the best available advice from the US. But apparently, they don’t even read the trade press.
I haven’t read the rest of the manual, and wouldn’t be qualified to assess it in any case. But if the agency responsible for our national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to ‘reveal their secrets’.
John Quiggin 
Do they (or you) have any suggestions on how to deal with another dimension to this problem, the need for multiple different passwords and the need for a secure method for how to store them.
Memorizing all of one’s passwords and their changes is becoming a nightmare which makes internet access extremely problematic. The more secure a password the harder it is to memorize.
And how should you store them in a readily accessible form? On your phone?! In one of these protected password stores in the cloud!!@@##$$%. In a notebook?@
Help welcome.
The controls in question are these:
Control: 0421; Revision: 4; Updated: Apr-15; Applicability: UD, P, C, S; Compliance: must; Authority: AA
Agencies using passphrases as the sole method of authentication must enforce the following
passphrase policy:
• a minimum length of 13 alphabetic characters with no complexity requirement; or
• a minimum length of 10 characters, consisting of at least three of the following
character sets:
– lowercase alphabetic characters (a–z)
– uppercase alphabetic characters (A–Z)
– numeric characters (0–9)
– special characters.
Control: 0422; Revision: 4; Updated: Apr-15; Applicability: TS; Compliance: must; Authority: AA
Agencies using passphrases as the sole method of authentication must enforce the following
passphrase policy:
• a minimum length of 15 alphabetic characters with no complexity requirement; or
• a minimum length of 11 characters, consisting of at least three of the following
character sets:
– lowercase alphabetic characters (a–z)
– uppercase alphabetic characters (A–Z)
– numeric characters (0–9)
– special characters
Fair go, John. How are the security authorities supposed to ensure you are not a terrorist, asylum seeker, environmentalist or other undesirable if they can’t make your accounts insecure so they can crack them?
Here’s a very good article on password rules https://blog.codinghorror.com/password-rules-are-bullshit/
@newtonian I use 1password, in the cloud, so I only need to remember one password.
I also authenticate via my google account (or even Facebook) when it is offered, to avoid creating yet another password.
Password managers, where you only have to break one password. And if you do use one, is disclosing which manager you use making you less secure?
That 90 day rule came from the PDP-8 minicomputer from the 60’s/70’s. They worked out the time it would take to brute force passwords and had people change passwords more frequently.
For some reason this was taken at face value and due to auditors following standards blindly has stuck until just now.
I’m no expert, but like Randall Munro’s thinking at xkcd. https://xkcd.com/936/
Something just as important as having a strong password is to never reuse it — you will end up using it on a site which doesn’t hash its passwords (or has some other vulnerability which allows an attacker to recover plain text passwords) and the attacker will use it on every other service out there. So the benefit of a password manager is that you never need to reuse passwords.
Mitigating password reuse is an argument in favor of password expiry — your users may have used the same password on the system you are protecting and dodgy.com, but by the time the dodgy.com vulnerability is exploited, they have changed their password on your system.
A password manager is a point of vulnerability, but it can be more secure than password stores on web apps — of course you shouldn’t reuse your password store password anywhere.
So, if I combine my two password methods, I should get really good passwords… and they are always recallable / reconstructable by me. Of course, I cannot say what these methods are. That would be telling.
But I thought any agency worth its salt issued password keypads to staff? You key your password and then it gives you another password based on an encrypted algorithm. You use this password to enter a mainframe or secure site.
@Ikonoclast
I’m sure there’s a German word for the fact that you know that agencies don’t do that but that they ought to and you are pointing out, with nose upturned and lip curled, the distance between where said agencies are and where they should be.
I’d posit that governments and their security agencies have pursued this schema to ensure passwords are just strong enough to stop journalists and the like, but are weak enough for themselves to brute force attack.
My former employer has a “change your complex password every N days” policy (which, of course, means your password goes “C0mplexP@ssw0rd01” *, “C0mplexP@ssw0rd02”, … until you get back to your starting point). I’m nearing the end of a consulting gig back there, and was hoping I wouldn’t have to change my password – no such luck. The password expires about 2 days before the end of my contract. Dave has a sad.
*Not my real password.
The really odd thing about their response that they have no choice because the rules apply government-wide is that, yes, that may be true, but it is actually them we sets those rules, which are then applied across the whole PS. they could change them if they wanted to. And then their new rules would apply to everyone.