U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

A previously unknown vulnerability.

Share

This has gone on long enough. In 2004, Bill Gates predicted the demise of the password: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure.” The first known computer password heist occurred 54 years ago and the situation is arguably worse than it was in 1962. The 2015 Verizon Data Breach Report estimated 700 million compromised records in 2014 with a $400 million estimated financial impact. According to Verizon’s Data Breach Digest, 80% of breaches involve exploitation of stolen, weak, default, or easily guessable passwords. For so many years we’ve talked about why passwords are insecure, unusable, and otherwise just plain bad. Today, we’re taking the next step forward at NIST. It’s time to make a stand against passwords. The National Vulnerabilities Database is the U.S. government repository of standards-based vulnerability management data. It contains over 75,000 vulnerabilities. Today it contains one more. Earning the maximum base score of 10.0 and an impact score of ∞, we’ve added the password to the NVD. The Common Vulnerability System Score metrics are unusually severe, with high impacts to each of confidentiality, integrity, and availability. “The analytics proved this one particularly nasty,” said Paul Grassi of the NSTIC NPO. “It’s rare to see a vulnerability that’s permeated so many systems. It’s like wildfire.” We’ve canvassed the community and have gotten mostly positive feedback. “The people who ask you for your password are often those least qualified to manage it,” remarked known rabble-rouser John Bradley from Ping Identity. “Passwords have long been passé. Let’s just say NIST is fashionably late to the party.” Some in industry thought this a foregone conclusion, such as Stu Vaeth from SecureKey: “Well, I suppose this is more like a 19,000-day than a zero-day, but it’s comforting that NIST finally finished the paperwork.” Others weren’t so sure about the move. Peter Alterman, COO of SAFE-BioPharma and noted ham radio operator, took a predictably contrarian position by declaring that “passwords work fine. It’s people that are struggling to keep up with the pace of the Internet. Totally obsolete.” We’ll get right on that one.

Comments

Peter Tomlinson on April 2, 2016 1:19 AM

Permalink
So what? It seems to be every week that I read about, or are even asked to use, a different method, without any information to help me trust it. So I'm with Pete Alterman.

John Bradley on April 2, 2016 7:15 AM

Permalink
I strongly support this, a sign of Mike Garcia's strong leadership.

Yalo Suzuki on April 2, 2016 8:38 AM

Permalink
Why is this article tagged "april fools" ?

TAWFIK AHMED ABDO MUSAED QERAN on April 2, 2016 11:52 AM

Permalink
Thanks you very much. ...

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.