Nist password guidelines, security and civil rights
Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where identity authentication is allowed without users’ volition would be the society where democracy is dead. It’s a tyrant’s utopia.
‘Killing the password’ is ‘killing democracy’.
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with volitional identity authentication made possible by memorized secrets, i.e., passwords.
We know that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the master-password. Biometrics, which relies on a backup password, can by no means be an alternative to the password,
The password as memorized secret is absolutely necessary. We must not accept any form of password-less login.
We might also need to look at the situation where we cannot rely on anything but the memorized secrets; emergencies.
Authentication in Emergencies
What is practicable in a calm indoor environment is not necessarily practicable in the turbulent outdoor environment, although the reverse can be said. The difference would be most striking in the cases of battlefield and disaster recovery.
Can we take it for granted that the people in such emergencies must be holding the cards and tokens for their identity authentication? Can we be certain that the biometrics measures, whether static or behavioral, are practicable for the people who are injured or caught in panic?
It is the obligation of the democratic societies to provide the citizens with identity authentication measures that are practicable in emergencies.
Slide “Identity Assurance in Emergencies”.
We could look at this subject from a different view point; Whether or not the password must stay with us is one thing. Whether or not the password can be killed is another.
Biometrics in Cyberspace
Some people, including not a few security experts, appear to believe that biometrics is capable of displacing the password. They are misguided. It is logically impossible for biometrics to displace the password so long as it requires the password as a fallback means.
Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. The effect of biometrics and passwords used in parallel must not be mixed up with that of the two used in series/tandem.
Tech media seem busy arguing which biometrics is better than the others. But it is all nonsense from security’s point of view. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.
Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. However, a good identification does not make a valid authentication. It would be a misuse of biometrics, which follows ‘unique (not secret) features’, if deployed for security of the identity authentication.
In other words, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video.
Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact.
There could be various explanations – from agnotology, neuroscience, psychology to sociology, behavioral economics and so on. This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields.
Related article 1- “How To Hack The Security Of Smartphones”
Related article 2 – “Mix up ‘Unique’ with ‘Secret’ and confuse ‘Identification’ with ‘Authentication’?”
Coming back assuredly to the absolute necessity of the password for both societal and technical reasons, we cannot be indifferent to the latest NIST password guidelines.
New NIST Password Guidelines
This article talks about the old and new NIST password guidelines.
It is nice to see repealed the odd nist password guidelines recommendations like the complicated hard-to-recall passwords, which would result in reusing the same password across many accounts, and the regular password change, which would result in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations.
Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks.
The cartoon shown in the linked article reads that a 44-bit entropy nist password is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries.
Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business accounts that should desirably be protected by all different strong passwords unique to each account.
Then, what else?
Expanded Password System – Intuitive and Secure
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the nist password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly unforgettable images, as well as conventional texts.
Related article – Intuitive Passwords – Passwords succeeding passwords
Mnemonic Security, Inc.
- Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings since 15 years ago.
- Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. “Mnemonic” and “Mneme” used in the company name and logo imply that our identity must be protected with our own memory. Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.