Over the past few years, we have seen a shift in how weshould be approaching Password Security, and with the death of the passwordstill years away, we must focus on educating users with good practice guidance,while delivering technical controls that simplify the whole process for ourusers.
Overall the industry felt that with the average businessuser now having close to 200 passwords, there was a real need to look atsimplifying both the guidance provided, and how we enforce the use ofpasswords.
Barely a few days go by where we are not hearing about thelatest high-profile data breach, and unfortunately a large portion of theseevents are caused by bad password security.
In the past we have tried to tackle this problem purely froma technical standpoint, and by implementing increasingly complex restrictions,us techies have made life more difficult for our users and ourselves.
Combining these password complexities, with an ever-increasing number of online services that need an account, has led to users trying to simplify things themselves. Users have resorted to using bad practice such as writing passwords down, using weaker more memorable passwords, and reusing the same passwords for multiple accounts.
The guidance provided here is not meant to be the silverbullet that solves all your password problems, but through continued educationand practice, we can make significant improvements and reduce the risk to ourbusiness and personal accounts.
I have put this first for two reasons; 1. Password reuse is considered thebiggest cause of account compromise, and 2. it simply doesn’t get enough airtime.
The Infosec guys reading this are probably questioning that last statement right now, as it is something that is constantly repeated in Security circles, but that’s my point, being known to security professionals is not enough, the user populous and general public need to understand it too.
In reality, when it comes to the average business user, orJoe/Jane public, this is arguably the least communicated and understood passwordsecurity recommendation, even though it stands out as one of the mostimportant.
You only need to visit the account creation page of some ofthe big online services, such as Facebook, Instagram, Amazon and Ebay, to seeno sign of guidance on using a unique password.
In my opinion these companies could lead by example,displaying clear and simple guidance to new and existing users, that includes avoidingpassword reuse.
As a rule, when creating a new account or changing your password, never use a password that’s been used somewhere else.
The key goal around these improvements is to reduce theburden on our users, and not make their digital life more difficult. Instead ofapplying out of date restrictions, that contribute to reducing security, makeit easier for them to create and manage their passwords.
We are in an online world where we need to remember a huge numberof passwords, and if we want users to comply with recommendations such as neverreusing passwords, things need to be simple. Good points here include:
Allowing users to Copy and paste their passwords – preventing this will likely result in them writing down their complex passwords, which will increase your risk of unauthorised account access.
Users should be allowed to securely store their passwords – again this prevents users from writing down their password or storing it insecurely (in clear text, notes, text files or contacts).
Password length and complexity is still a required factor but be flexible with what you deem as complex. A minimum of 12 characters, using upper / lower case, numbers or symbols are good but may prove difficult when creating multiple unique passwords.
As an alternative the use of phrases, song lyrics, bookquotes, or the combination of 3 or 4 random words (e.g. HorsePotatoSalvage) are also effective in creating long hard toguess passwords.
Combining this alternative with the use of character substitution you can quickly and easily increase password complexity, for instance h0rsePot4to$alvag3.
Understand that a user’s ability to generate numerous complexpasswords will be limited and that they will typical resort to using simplevariations of the same password, if the complexity is too great.
Password strength meters can provide the user feedback onwhether the selected password meets the system requirements, but understandthat the capabilities may be limited. Ensure they are enforcing a flexibleapproach as described above, and not just minimum characters and complexity.
For instance, ‘Passw0rd01!’is a poor password that may comply with a minimum 10 character, upper/lowercase, number and symbol password policy.
Where possible it is recommended to integrate passwordblacklists into your systems, to prevent the use of common or already compromisedpasswords.
Lots of organisations still feel that allowing passwordmanagers introduces a security risk they can’t accept. This really is oldschool thinking and is one of the key recommendations that should be adopted byall users for both their business and personal accounts.
Password Managers, such as Dashlane, LastPass and 1Password,can be a strong technical control that helps to significantly reduce the burdenon your users. A good password manager can help you meet the recommendations mentionedabove; allowing secure storage, strong complex generation and auto filling ofpasswords.
Through the use of a password manager you can actuallyincrease your security, preventing credentials from being input and stolen byfraudulent websites, while inbuilt password generators can reduce or evenremove the password reuse problem.
The biggest misconception we have seen around good passwordpractice, is the continued reliance on changing passwords periodically. This isanother change to the guidelines that has not reached organisations and theirtechnical teams.
Gone are the days when we must force our users to changetheir passwords every 90, 60 or heaven forbid, 30 days.
We recommended that you no longer force regular passwordchanges, but instead educate your users to change their password, when it hasbeen lost, forgotten or they think it may have been compromised.
Setting accounts to lockout after several repeated failureswill not be a new thing for most organisations, but what has changed is howaggressive we are when setting these lockout requirements.
Historically account lockout recommendations have beenpretty aggressive, forcing an account to be inactive after 3 -5 failed attemptsat a login. The latest recommendation is to set account lockouts to 10 attempts, which provides a betterbalance between security and usability. This results in a better userexperience while still protecting the account from brute-force attacks.
Users can be aided with the use of an account recoverymechanism, whether this be a self-service portal or an automated feature toenable the account after an elapsed period of time.
In addition, it is also recommended that you monitor login attempts and failures, either locally on the authentication server or using a central log manager or SIEM. This will allow you to identify any abnormal behaviour related to account compromise or brute-force login attempts.
A common password failure we come across during our CyberAssessments, is the use of default passwords. Vendors publish their defaultpasswords online, so they are very easy to get your hands on and can give anattacker full administrative access to the device.
The first thing that a bad guy will do after identifying themake of a reachable device is try the default credentials, and once access isgained the compromised device can be used to infiltrate the internal network.
Always remember to change all your defaults passwords as soon as possible during the initial deployment.
Multi-factor authentication or MFA for short, addsadditional layers of security to account logons using 3 common factors;
1. something you know (a password);
2. something you have (a token or device) and
3. something you are (biometrics; fingerprint or eye scan).
The idea around MFA is that if someone gets hold of yourpassword, they still need another 1 or 2 factors before they can access youraccount. The majority of MFA we see in use today uses the first two factors andis typically referred to as 2FA (Two Factor Auth) or Two Step verification.
Common 2FA implementations use smartphones or hard tokens togenerate a random 6-digit code that will need to be entered to access youraccount. These passcodes can be generated using SMS text messaging or through asmart phone authenticator app, such as Google Authenticator, Cisco DUO orMicrosoft Authenticator.
Just to be clear here, if a site asks you for two separate passwordsthis does not mean it is 2FA, this is still single factor auth as passwords aresomething you know.
To protect your online accounts from compromise it isrecommended that you enable 2FA/MFA where possible. The smartphoneauthenticator app is the more secure version of 2FA and should be preferredover the SMS alternative. That said, if SMS is your only option then this shouldbe implemented, as this is always better than not implementing 2FA.
Sharing credentials and passwords have been common place indays gone by, and we still witness organisations that operate an open passwordsharing policy, where passwords are written down and shared between the usersor taped to computer keyboards and monitors.
This is a very risky practice that can lead to compromise, falselogging / audit trails and an evidence chain that cannot be trusted if anincident was to occur.
Users should be instructed to keep their passwords tothemselves and should never share them with other users, including your manageror IT team.
The IT team should have procedures in place to support itsusers without the need for their individual passwords and should never ask auser for their password.
A final point will be aimed at the developers out there, andthat is to ensure that systems and applications never store passwords in cleartext.
If an attacker gains access to a system that contains credentials in clear text, they can export this database of passwords, and use it in targeted attacks against other systems. Taking into consideration that users often reuse their passwords on different online services, this credential data can then be used to gain access and compromise accounts on other systems.
Always store credentials securely using cryptographic functions to hash the password prior to storage. To protect against rainbow table brute force attempts each password should also include a unique random ‘salt’ value, that is added prior to the password being hashed.
This post has aimed to outline the latest password security guidelines,based on the NIST (National Institute of Standards and Technology) and NCSC(National Cyber Security Centre) published recommendations.
Through our work helping organisations improve their overallsecurity, it has been clear that a large majority still follow outdated passwordguidance. This not only creates headaches for their users but also results in securitygaps that can be exploited by the bad guys.
For good password practice follow these Do’s and Don’ts:
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
