EPA Ignores Experts Setting Password Security Policy

In case you missed it, EPA is yet again changing it's password requirements. This attempt to strengthen security will ultimately reduce security.

As noted security expert Bruce Schneier notes, the National Institutes of Standards and Technology (NIST) recently published its four-volume SP800-63b Digital Identity Guidelines. As Bruce notes, the document "makes three important suggestions when it comes to passwords:

  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.

And we'll add one to Bruce's list, above. These "complex" passwords require people to write them down to remember them. Typically they'll write them on a note that's left under the keyboard or in an unlocked drawer at their desk so they can pull the note out easily. Having a password that's impossible to remember simply encourages the insecure practice of leaving a written note with ones password in an easily-accessible location.

EPA ignores federal experts and does exactly the opposite of all three NIST recommendations Bruce mentions. OEI's password policy is a "failed attempt[] to fix the user." As Mr. Schneier notes, "Better we fix the security systems" instead of the user.

Here's OEI's note in its entirety:

New character count requirement for LAN passwords

Beginning Dec. 13, EPA employees changing their LAN password will need to comply with new character count requirements. The change is to help ensure employees strengthen their passwords, which is critical to information security.

The current eight-character password is being increased to a minimum of 12 characters with the following requirements:
• Password length must be a minimum of 12 characters and contain characters from three of the following four categories:
o At least one digit (0-9).
o At least one symbol (~, !, @, #, $, %, +, <, >, /, ?).
o At least one uppercase English letter (A-Z).
o At least one lowercase English letter (a-z).
• Must not contain your username, dictionary words, simple words, or any part of your full name that exceeds two characters (example: cannot be ‘SMI’, if your last name is ‘SMITH’).
• Must differ from previous password by four characters.
• Must differ from previous 24 passwords.

For more details, visit the New LAN Password Update web page.
— intranet.epa.gov/nisintra/security/index.html