NIST is mulling over removing entropy requirements for passwords from its security guidelines. There really is no good way to measure how strong a password is, anyway.
The National Institute of Standards and Technology (NIST) sets minimum requirements for the strength of passwords used on federal IT systems. This strength is measured in bits of entropy, which is supposed to be gauge for how hard it is to guess or
otherwise determine a password. But during a recent cybersecurity discussion a NIST official said the agency is considering eliminating these requirements.
The reasons are two-fold. Passwords generally provide poor security. Breaking even strong passwords is becoming increasingly easy, and managing them—especially strong ones—is a chore for both users and administrators. And it turns out that there is no good way to measure the strength of a password. We assume that a long one is more secure than a short one, and that many types of characters are more secure than a few types. But we don’t really know for sure.
Password requirements are laid out in NIST Special Publication 800-63-2, Electronic Authentication Guideline. Passwords, or “memorized secret tokens,” are allowed for only the two lowest of four security levels. Level 1 requires a password of at least six characters chosen from an alphabet of at least 90 characters (the standard keyboard has 94 characters), and level 2 requires a password of eight characters chosen from among at least 90 with some added restrictions or rules.
According to NIST, the estimated strength of the minimum level 1 password is 14 bits of guessing entropy. For level 2 it is 24 bits. “Guessing entropy” measures the difficulty of guessing a user-generated password.
But the writers of the guidelines caution readers that rules for guessing entropy are no more than “a very rough rule of thumb method to be used for the purposes of e-authentication.”
What is “entropy?” First of all, as used here, it is not the standard definition from thermodynamics, which—put most simply—is the idea that things run down. Because order requires energy, eventually everything will reduce to a state of uniform disorder.
According to NIST, the term “entropy” as used in information theory was coined by Claude Shannon as an expression of the amount of information in English text. In cryptography it is used as a measure of the difficulty in guessing or determining a password or a key. There is a mathematical definition for it and an equation for figuring it, but the results are not as precise as this implies. The problem—as is so often the case in cybersecurity—is people.
Entropy depends on the frequency distribution of characters in a user-generated password. Frequency distribution can be figured for English in general, but passwords are secret and there is little information in frequency distribution of characters in passwords. But, says NIST, “experience teaches us that many users, left to choose their own passwords will choose passwords that are easily guessed.”
Even when requirements are added for complexity, such as using multiple types of characters and both upper and lower case letters, users create the simplest password possible, merely adding an initial upper-case letter to a string of lower-case letters, with a punctuation mark at the end.
The end result is an undoubtedly weaker password, but how much weaker is impossible to say beyond NIST’s admittedly “ballpark” estimate.
So Paul Grassi, senior standards and technology advisor at NIST, reportedly said that he would like to do away with passwords for all but the most inconsequential uses, replacing them with some other two-factor form of authentication.
One of those factors probably would be some form of biometrics. The government also is highly invested in physical tokens, the civilian smart PIV (Personal Identity Verification) Card and its military equivalent the CAC (Common Access Card), which are equipped to use biometrics as a second factor. But even with these cards already in the hands of millions of users, they still have not replaced the password on federal IT systems. According to the latest White House report to Congress on implementing the Federal Information Sharing and Management Act, user name and password still is the dominant form of authentication on both privileged and unprivileged accounts throughout civilian agencies.
Clearly, whatever the failings of the password, rooting it out is going to take some time. If it is ever replaced, what the technology and infrastructure replacing it will be is impossible to say at this time.