COI Report – Part VII
Page 304 of 425
886. It is recommended that IHiS adopt abetter approach by moving from the use of passwords to passphrases.
81
Passwords, even those with complex combinations of letters, numbers and symbols, no longer afford sufficient protection. Passwords that were once considered almost unbreakable can now be cracked in a matter of hours or days. Passphrases are longer but need not necessarily contain numbers or symbols, which makes them easy to remember, eliminating the need for them be written down or stored. By using passphrases, brute force attacks can be rendered impractical.
887. In June 2017, NIST released new standards for password security entitled
“Authentication & Lifecycle Management”.
82
In these guidelines NIST recommends using long passphrases instead of seemingly complex passwords. NIST observed that the “memory burden” on users could be lightened, and recommended encouraging users to create unique passphrases they could more easily remember. The switch to passphrases has also been recommended by a number of other reputable institutions 888. The Committee notes that the Singapore public sector’s IT policy has very recently encouraged the use of passphrases instead of complex passwords. The policy now requires the use of longer passwords, with fewer complexity requirements implicitly encouraging users to switch to the use of passphrases.
889. It is also pertinent to note that the NIST guidelines also recommend that a) When processing requests to establish and change memorized secrets, verifiers shall compare the prospective secrets against a list that contains values known to be commonly-used, expected, or A secure passphrase can be as simple as a short sentence with proper punctuation, e.g.
“IAmUsingAPassphraseOnThisComputer”.
82
NIST.SP.800-63B. Australian Cyber Security Centre, Passphrase Requirements, November 2017; SANS Institute, OUCH Newsletter Passphrases, April 2017.
84
NIST.SP.800-63B at 5.1.1.2 Memorized Secret Verifiers, p
|
