NIST’s thoughts on authentication

NIST has a new draft of their SP 800-63-1, "Electronic Authentication Guideline," available for public comments. This document discusses multi-factor authentication, and it's probably worth sending them comments on this particular topic.

As I mentioned in a recent post, the reason that the judge ruled the way he did in Patco Construction v. People’s United Bank seemed to focus on the FFIEC’s "Authentication in an Internet Banking Environment" (PDF), and this guidance didn’t explicitly say that in multifactor authentication you need to have success with each of the factors for the overall authentication to be a success.

SP 800-63-1 seems to also overlook a clear discussion of this, so if you feel strongly about this, you now have a chance to submit comments to NIST that reflect your thoughts on it. You can find the form for submitting comments here.

SP 800-63-1 also has an interesting discussion of password strength. It uses Shannon entropy instead of minimum entropy to estimate this, and it has a set of guidelines for estimating how many bits of entropy a user-selected password will give you. Here are the guidelines that it has for this:

  • The entropy of the first character is taken to be 4 bits;
  • The entropy of the next 7 characters are 2 bits per character; this is roughly consistent with Shannon’s estimate that "when statistical effects extending over not more than 8 letters are considered the entropy is roughly 2.3 bits per character;"
  • For the 9th through the 20th character the entropy is taken to be 1.5 bits per character;
  • For characters 21 and above the entropy is taken to be 1 bit per character;
  • A "bonus" of 6 bits of entropy is assigned for a composition rule that requires both upper case and non-alphabetic characters. This forces the use of these characters, but in many cases thee characters will occur only at the beginning or the end of the password, and it reduces the total search space somewhat, so the benefit is probably modest and nearly independent of the length of the password;
  • A bonus of up to 6 bits of entropy is added for an extensive dictionary check. If the Attacker knows the dictionary, he can avoid testing those passwords, and will in any event, be able to guess much of the dictionary, which will, however, be the most likely selected passwords in the absence of a dictionary rule. The assumption is that most of the guessing entropy benefits for a dictionary test accrue to relatively short passwords, because any long password that can be remembered must necessarily be a "pass-phrase" composed of dictionary words, so the bonus declines to zero at 20 characters.

The following graph summarizes what this gives you for a reasonable range of password lengths.



That's definitely the most thorough analysis of password strength that I've seen in a standard. It may not be perfectly accurate, but then it says that these values

should not be taken as accurate estimates of absolute entropy, but they do provide a rough relative estimate of the likely entropy of user chosen passwords, and some basis for setting a standard for password strength.

What's missing form this analysis, however, is a clear recommendation on exactly how many bits of estimated entropy a password should actually have. Maybe that's also worth commenting on.

Leave a Reply

Your email address will not be published. Required fields are marked *