After more than a year of effort, Ballot SC3 was recently unanimously approved by the CA /B forum. This is the first major update to the network and certificate system security requirements proposed by the Forum’s Cybersecurity Working Group. It contains several important improvements, but one in particular: removing the requirement that passwords change every 90 days. Ballot SC3 allows certificate authorities to periodically implement mandatory password change policies, but states that passwords must remain valid for at least two years if there is no reason to change them (such as evidence of compromise).
Years ago, NIST recommended that companies require users to change their passwords periodically. The general idea is to prevent attackers who break old passwords from being able to use them on the current system. This advice is widely adopted, and many security standards require passwords to be changed regularly.
The problem is that “good” passwords are generally not memorable. If there are additional arbitrary complexity requirements, such as the need to include uppercase letters, numbers, and/or special characters, it is even harder to remember them. Generating and remembering a new, unique and powerful password every 90 days meets all these requirements, which is far beyond the ability of the normal human brain. Studies show that these mandatory password changes significantly increase the need for customer service and password resets.
People have adapted to these demands in predictable ways. Uppercase letters are usually the first character, numbers are usually at the end, special characters are placed between ends, between two components, or substituting letters in predictable ways (e.g. ‘0’ for ‘O’, ‘1’ for’ L ‘, ‘e’). When they need to change passwords, they also change them in predictable ways, for example by incrementing numbers or moving capital letters to the next letter. Users completely tired of these requirements use “Summer2018!” Such passwords are not uncommon, and it is even more likely that this password is now being used by one of your users.
Because these changes are predictable, it is easy to find an algorithm that efficiently finds a user’s old password. The study was published in 2010 (www.cs.unc.edu/~reiter/pap… As a result, a password change policy causes users to choose weaker passwords, increases support costs, and imposes no significant cost to the attacker. This is the exact opposite of good security policy.
Part of the resistance to changing the requirements is that companies often have to comply with multiple audit protocols. It takes time to undo this requirement. While Ballot SC3 allows certification authorities to relax these requirements immediately, it gives them a two-year grace period to determine how to comply with the new requirements. Fortunately, NIST has published some excellent guidance in Appendix A of NIST SP800-63B, which correctly states that the most important feature of A password is its length, and that users should choose strong passwords that they can easily remember, but that attackers can “guess”. Lifewire provides an easy way to create a secure password.
Some organizations have updated their standards to comply with NIST’s new guidelines, and others, including FedRamp, have said they expect people to comply with the standards in anticipation of future updates. The most common complaints about eliminating the 90-day password change requirement come from companies that also must comply with PCI DSS requirements. Adopting the NIST standard and eliminating the 90-day password change requirement will free companies from having to separately manage password policies for PCI and non-PCI systems, and will reduce the risk of unnecessary password changes resulting in weak passwords for PCI-compatible systems.
Unfortunately, the forum’s cybersecurity Working Group has expired and has not yet been updated under CA/Browser’s recent governance reform changes. It is hoped that the success of this work will lead to the re-establishment of the Cybersecurity Working Group, thus allowing us to continue to make important and necessary changes to network and certification system security requirements.
[from SSL China]