P@ssw0rd follies (repost from 2017)

I didn’t around to posting on the MyHealthRecord mess before the government retreated on the issue, but I just ran across this piece from 2017 which reminded me how insecure the system would have been.

Looking at the broader issue, it’s clear that the push from both governments and corporations to collect and sell our data is going to keep producing disasters unless things change. We need to address the issue comprehensively starting from the premise that any transfer of individual information without explicit consent is, prima facie unlawful, then adding in exceptions based on a clear public benefit test.

I have a piece in Crikey under the title ‘Our spy agencies know less about cybersecurity than the Daily Mail‘.

The central point is that our leading cybersecurity agency, the Australian Signals Directorate, has just rolled out a policy requiring users of government agency websites to change their passwords every 90 days and to use composition rules based on a mix of alphanumeric and special characters. As even the Daily Mail has pointed out, these practices are thoroughly discredited, to the point where the expert responsible for them has publicly recanted.

Our spy agencies know less about cybersecurity than the Daily Mail

I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and must contain a mixture of alphanumeric and special characters (this is called a composition rule)

You don’t need to be a cybersecurity expert to know that this is nonsense. Cartoons like xkcd have been mocking special character passwords for years. As is well known, a long, but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter p@ssw0rd123456 with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy.

The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST) came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.” To quote an the Sophos security site “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack”

Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a week ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.

I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password). But, lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.

So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that their security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.

Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter. The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan ‘Reveal their secrets, protect our own’).

In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300 page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.

Given that ASD is our representative in the ‘Five Eyes’ Anglospheric intelligence agreement, I would have expected them to have access to the best available advice from the US. But apparently, they don’t even read the trade press.

I haven’t read the rest of the manual, and wouldn’t be qualified to assess it in any case. But if the agency responsible for our national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to ‘reveal their secrets’.

2 thoughts on “P@ssw0rd follies (repost from 2017)

  1. I note that all of the discussion about My Health to date has only been about what constitutes legal access to these records. Illegal access – hacking, phishing, deliberate misuse by internal staff (stalkers, ex-spouses etc) hasn’t rated a mention. By the time it does, it will be “Too bad, so sad, your data is in the public or dark domain for misuse/sale, please use a more secure password next time”.

  2. Improved passphrases could make online experiences both user-friendly and secure

    . ..”Juang, a user experience research manager at SunTrust Bank, says, “Passphrases are more secure than passwords and avoid the various issues with biometric systems like fingerprint or facial recognition. It’s inevitable that we will eventually need to move past traditional passwords, but it’s nothing to fear. Instead of asking users to juggle both usability and security, which is complicated, let’s provide secure passphrases and allow users to do what they do best: make things easier for themselves. By truly understanding how users think, we can design systems that keep them secure while also being easy to use.”…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s