The Shutdown Hangover: Passwords Continue to Be a Real Headache
You know the way, it throws about
It takes you in and spits you out
It spits you out when you desire
To conquer it, to feel you're higher
To follow it you must be clean
With mistakes that you do mean
Move the heart, switch the pace
Look for what seems out of place
-Peter Murphy
Well, the shutdown is over. Finally. Now, the shutdown hangover begins.
There was a curious announcement by the Department of Homeland Security (DHS) during the shutdown that had everyone scratching their collective heads ... at first.
DHS gave agencies 10 days – in the middle of a shutdown no less – to get their account security in order, specifically calling out two-factor authentication (2FA) and other protections due to DNS hijacking vulnerabilities.
I was glad to see DHS being proactive (ok, probably long overdue) in this area, but giving agencies 10 days to act in the middle of a shutdown was probably counterintuitive. Anyway, the shutdown is now over; so here we are. Agencies can start enacting these protections and controls. Whew. With a few days to spare.
Then there was this little gem on Twitter:
From a friend in govt: “So during the furlough our network passwords expired so now *the entire agency* is in the IT queue.” #trumpshutdown
— Jeff Carlson (@jeffcarlson) January 28, 2019
It turns out, lots of folks’ passwords expired during the shutdown and now there is a bit of a DOS attack on agency IT organizations as they struggle to get folks back to work.
Your approximate wait time is 47 days
— ShadowSpade (@ShadowSpadeXIV) January 28, 2019
But if, by the law of the land - HSPD-12, we are all using smart cards (which have their own set of issues and idiosyncrasies), then why are folks dead in the water with password expirations? Ah yes, the dirty little federal workforce secret, which isn’t really secret (I’ve been talking about this for years): we still use passwords. Lots of them. Everywhere. All the time. And because passwords are inherently flawed objects, we are forced to change them, all the time. We force this change through draconian password policies, which then forces yet another password security vulnerability and creates the aforementioned password lock out: people write them down on stickies and stick them to their monitors (remember that picture of the Hawaiian official during the missile scare with his password stuck to his monitor...on national television? Sure you do.).
Don’t get me wrong, I was a big fan of HSPD-12 when it came out ... in 2004. I wasn’t happy to get my OPM breach letter (my wife was less happy), but 2004 was 15 years ago. Fifteen years! A lot has changed since then, and a lot continues to change. Passwords can’t keep up.
The good news is that we are seeing real progress through FIDO with WebAuthn, but it’ll take some time for that to flow through the IT ecosystems, and as we all know federal agencies don’t tend to be early adopters for these sorts of things. So we’re likely a good two years out (my most optimistic self).
So what do we do in the meantime? I’m glad you asked.
We follow the DHS guidance. Now.
Where you have username/password (and we know you do) deploy 2FA. Start looking at a zero-trust security model across your agency. There is good work here from the CIO Council. Reach out to them and engage them to help plot the course for your zero-trust journey.
This also gives the added benefit of being able to change some of the outdated and ineffective password policies we still have in place today, and will hopefully make the Twitter-verse happier when they come back from the next shutdown (God forbid), or from vacation, or from sabbatical, or from whatever event that extended over the imaginary password line.