A user’s password is the key to open the door to their account. Depending on what kind of permissions that user account has once inside a system, that key could be very powerful indeed. If I have the password to your online banking, I may get access to your account and all the data contained therein. That would be a hassle for you. But if I can get the system admin’s password for the online bank at the server level, I can get my hands on your information and every other user, as well. This is how a surprising number of data breaches happen.
What makes good password security so important is this: one doesn’t need to be particularly tech-savvy to exploit someone’s password once they have it. Other types of security breaches—whether those are backdoors, remote installation of malware, or malicious code injection on web servers—require a fair amount of expertise. But a password? It’s the easiest way into data that doesn’t belong to you. This is why there’s a market for passwords on the dark web, leaving the hard part (breaking in) to those who know how, and the actual wreaking of havoc to someone with nothing more than malice on his mind. Credential stuffing, password spraying, and other types of password-based attacks could often be stopped by just employing good password security.
Password Security Recommendations from the NIST
The National Institute of Science and Technology (NIST) has been studying the matter to increase security on a federal level. To better secure the federal government’s system, they’ve released a draft of proposed changes to the nation’s password security policies. Though these policies, once enacted, only affect users working at any federal entity, they ought to be viewed seriously by anyone charged with keeping their IT infrastructure (or personal accounts) secure.
Some of the recommendations buck long-held conventional wisdom about password security:
1. Make it Easier for Your Users to Create Passwords They’ll Remember
Don’t create restrictions on the format of the password. When you mandate things like using at least one upper-case letter, or one number, or use special characters, or tell them the password is too long, this only frustrates the people into looking for easy ways out. If John Smith decides to make his password “johnsmith,” that’s not acceptable. But by requiring specific formatting, you’re encouraging him to work within those restrictions to create something like “J0hnsm1th!”—which isn’t really any better. Anyone adept at decrypting/decoding passwords can figure out this variation pretty quickly.
Instead, give John a wider berth in his creation. Encourage the use of a longer phrase (64 characters is the recommended maximum now, not 16), and ensure that the system can handle any character you throw at it, encompassing not just ASCII text, but also anything Unicode—including emojis. This works best when you’ve got a dictionary of known bad passwords that the system can check against. Then, when John’s first attempt at password creation—”johnsmith”—is rejected, he can channel his frustration into something much more secure, like these 49 characters: “Our system admin is an annoying pain in the ????.”
Sure, that’s pretty much straightforward English, but it’s actually more random than just replacing letters with lookalike numbers.
Also, stop letting passwords expire and forcing users to change them. Every time you do that, it makes it more likely that the passwords will get easier to crack. Besides, no matter what the expiration time is—30 days, 6 months, 1 year—if you’ve gone that long without the password being stolen it means you’re doing something right.
No one changes the locks on their house yearly for extra protection. If no one’s been able to get into the house, it means you’re still the only one with a key. You only change them when you know someone who shouldn’t have access has gotten ahold of your key. It’s the same with passwords.
2. Stop Using Password Hints
We’ve been doing stuff like this for so long, it seems counterintuitive to do away with it. But, if you think about it, setting up hints and mechanisms to get or reset a password is what actually makes no sense. The whole point of a hint is to make it easier to arrive at an answer.
Imagine walking into a bank where you know Bill Gates has an account and trying to withdraw $1 million. The teller asks for your ID, which you don’t have because you’re not Bill Gates. But instead of turning you away you’re asked, “Well, what’s the name of the city of you were born in?” That is information which is much easier to obtain, and seems like a terrible method to secure assets.
Strong passwords are the first step in protecting digital assets (and in many cases those digital assets represent access to real money). If someone doesn’t know a password, it’s better to assume there’s a reason for that than to give them a helping hand.
3. Do Away With SMS Two-Factor Authentication
Two-factor, or even multi-factor, authentication is a must, to be sure. But biometrics, like fingerprint or retinal scanning, is a much better way to protect your account—and it isn’t the kind of futuristic sci-fi tech of tomorrow that it used to be. Tomorrow is already here.
Doing it over SMS turns out to be pretty poor way of going about it. As far as obstacles go, sending authorization codes to a cell phone via text is like asking a horse to jump over a six-inch high hurdle. As this post shows, someone who’s smart enough to get a hold of your password is plenty clever enough to figure out a way around text-based auth codes.
And, of course, now that everybody’s gotten wind of this method’s ineffectiveness, security bloggers are thinking and writing about the different ways this type of protection can be breached.
4. Admins Need to Be Smarter About How Passwords Are Stored
Back in 2013, the Naked Security blog detailed how one of the biggest software companies in the world, Adobe, failed 150 million of its users with dreadful practices in place to protect passwords.
Apart from shining a light on just how pointless password security hints are, it also made clear that Adobe was using pretty basic encryption, and added no other protections. The result was a kind of simple decode process not too much more sophisticated than what kids used to get with toy spy kits.
In our password-protected world, security turns out to be everyone’s responsibility. Policies need to be well thought out, users need to comply, and admins need to do right by the users by not assuming intruders can’t get in to steal passwords in the first place. The NIST’s new recommendations and findings are certainly a good place for everyone to start.
Password Managers: Weighing the Pros and Cons
Password managers are another way individuals and organizations are trying to reduce the risk of using passwords. Like other security tools, password managers can help, but are not a complete solution that will absolve your organization from password-related risks. Another aspect to consider, is that most of the password managers were found to have vulnerabilities or even had breaches over the years.
By deploying a password manager to your team, you put your security in the hands of these tools. A few notable security incidents include LastPass, My1Login, KeePass, OneLogin, PasswordBox, MyPasswords, Avast Passwords, and RoboForm. Some of these vulnerabilities were disclosed by Google Project Zero’s Tavis Ormandy, including vulnerabilities in their browser plugins.
Our recommendations? Password managers can help minimize the IT overhead of password retrieval, but they also introduce another potential supply chain attack on organizations.
In our password-protected world, a strong security policy includes the vendors and people on every team. Policies need to be well thought out, users need to comply, and admins need to do right by the users by not assuming intruders can’t get in to steal passwords in the first place. The NIST’s recommendations and findings are certainly a good place for everyone to start. Next up, read this blog post, 7 Ways Hackers Steal Your Password.