Over the past few years, we have seen a shift in how we should be approaching Password Security, and with the death of the password still years away, we must focus on educating users with good practice guidance, while delivering technical controls that simplify the whole process for our users.
Overall the industry felt that with the average business user now having close to 200 passwords, there was a real need to look at simplifying both the guidance provided, and how we enforce the use of passwords.
Barely a few days go by where we are not hearing about the latest high-profile data breach, and unfortunately a large portion of these events are caused by bad password security.
In the past we have tried to tackle this problem purely from a technical standpoint, and by implementing increasingly complex restrictions, us techies have made life more difficult for our users and ourselves.
Combining these password complexities, with an ever-increasing number of online services that need an account, has led to users trying to simplify things themselves. Users have resorted to using bad practice such as writing passwords down, using weaker more memorable passwords, and reusing the same passwords for multiple accounts.
The guidance provided here is not meant to be the silver bullet that solves all your password problems, but through continued education and practice, we can make significant improvements and reduce the risk to our business and personal accounts.
Never Reuse Passwords
I have put this first for two reasons; 1. Password reuse is considered the biggest cause of account compromise, and 2. it simply doesn’t get enough air time.
The Infosec guys reading this are probably questioning that last statement right now, as it is something that is constantly repeated in Security circles, but that’s my point, being known to security professionals is not enough, the user populous and general public need to understand it too.
In reality, when it comes to the average business user, or Joe/Jane public, this is arguably the least communicated and understood password security recommendation, even though it stands out as one of the most important.
You only need to visit the account creation page of some of the big online services, such as Facebook, Instagram, Amazon and Ebay, to see no sign of guidance on using a unique password.
In my opinion these companies could lead by example, displaying clear and simple guidance to new and existing users, that includes avoiding password reuse.
As a rule, when creating a new account or changing your password, never use a password that’s been used somewhere else.
Helping Users Cope with the Burden of Passwords
The key goal around these improvements is to reduce the burden on our users, and not make their digital life more difficult. Instead of applying out of date restrictions, that contribute to reducing security, make it easier for them to create and manage their passwords.
We are in an online world where we need to remember a huge number of passwords, and if we want users to comply with recommendations such as never reusing passwords, things need to be simple. Good points here include:
Allowing users to Copy and paste their passwords – preventing this will likely result in them writing down their complex passwords, which will increase your risk of unauthorised account access.
Users should be allowed to securely store their passwords – again this prevents users from writing down their password or storing it insecurely (in clear text, notes, text files or contacts).
Password length and complexity is still a required factor but be flexible with what you deem as complex. A minimum of 12 characters, using upper / lower case, numbers or symbols are good but may prove difficult when creating multiple unique passwords.
As an alternative the use of phrases, song lyrics, book quotes, or the combination of 3 or 4 random words (e.g. HorsePotatoSalvage) are also effective in creating long hard to guess passwords.
Combining this alternative with the use of character substitution you can quickly and easily increase password complexity, for instance h0rsePot4to$alvag3.
Understand that a user’s ability to generate numerous complex passwords will be limited and that they will typical resort to using simple variations of the same password, if the complexity is too great.
Password strength meters can provide the user feedback on whether the selected password meets the system requirements, but understand that the capabilities may be limited. Ensure they are enforcing a flexible approach as described above, and not just minimum characters and complexity.
For instance, ‘Passw0rd01!’ is a poor password that may comply with a minimum 10 character, upper/lower case, number and symbol password policy.
Where possible it is recommended to integrate password blacklists into your systems, to prevent the use of common or already compromised passwords.
Allow the use of Password Managers
Lots of organisations still feel that allowing password managers introduces a security risk they can’t accept. This really is old school thinking and is one of the key recommendations that should be adopted by all users for both their business and personal accounts.
Password Managers, such as Dashlane, LastPass and 1Password, can be a strong technical control that helps to significantly reduce the burden on your users. A good password manager can help you meet the recommendations mentioned above; allowing secure storage, strong complex generation and auto filling of passwords.
Through the use of a password manager you can actually increase your security, preventing credentials from being input and stolen by fraudulent websites, while inbuilt password generators can reduce or even remove the password reuse problem.
Change Passwords Only When You Need To
The biggest misconception we have seen around good password practice, is the continued reliance on changing passwords periodically. This is another change to the guidelines that has not reached organisations and their technical teams.
Gone are the days when we must force our users to change their passwords every 90, 60 or heaven forbid, 30 days.
We recommended that you no longer force regular password changes, but instead educate your users to change their password, when it has been lost, forgotten or they think it may have been compromised.
Control and Monitor Account Lockouts
Setting accounts to lockout after several repeated failures will not be a new thing for most organisations, but what has changed is how aggressive we are when setting these lockout requirements.
Historically account lockout recommendations have been pretty aggressive, forcing an account to be inactive after 3 -5 failed attempts at a login. The latest recommendation is to set account lockouts to 10 attempts, which provides a better balance between security and usability. This results in a better user experience while still protecting the account from brute-force attacks.
Users can be aided with the use of an account recovery mechanism, whether this be a self-service portal or an automated feature to enable the account after an elapsed period of time.
In addition, it is also recommended that you monitor login attempts and failures, either locally on the authentication server or using a central log manager or SIEM. This will allow you to identify any abnormal behaviour related to account compromise or brute-force login attempts.
Always Change Your Defaults
A common password failure we come across during our Cyber Assessments, is the use of default passwords. Vendors publish their default passwords online, so they are very easy to get your hands on and can give an attacker full administrative access to the device.
The first thing that a bad guy will do after identifying the make of a reachable device is try the default credentials, and once access is gained the compromised device can be used to infiltrate the internal network.
Always remember to change all your defaults passwords as soon as possible during the initial deployment.
Use Multi-Factor Authentication
Multi-factor authentication or MFA for short, adds additional layers of security to account logons using 3 common factors;
1. something you know (a password);
2. something you have (a token or device) and
3. something you are (biometrics; fingerprint or eye scan).
The idea around MFA is that if someone gets hold of your password, they still need another 1 or 2 factors before they can access your account. The majority of MFA we see in use today uses the first two factors and is typically referred to as 2FA (Two Factor Auth) or Two Step verification.
Common 2FA implementations use smartphones or hard tokens to generate a random 6-digit code that will need to be entered to access your account. These passcodes can be generated using SMS text messaging or through a smart phone authenticator app, such as Google Authenticator, Cisco DUO or Microsoft Authenticator.
Just to be clear here, if a site asks you for two separate passwords this does not mean it is 2FA, this is still single factor auth as passwords are something you know.
To protect your online accounts from compromise it is recommended that you enable 2FA/MFA where possible. The smartphone authenticator app is the more secure version of 2FA and should be preferred over the SMS alternative. That said, if SMS is your only option then this should be implemented, as this is always better than not implementing 2FA.
Avoid Password Sharing
Sharing credentials and passwords have been common place in days gone by, and we still witness organisations that operate an open password sharing policy, where passwords are written down and shared between the users or taped to computer keyboards and monitors.
This is a very risky practice that can lead to compromise, false logging / audit trails and an evidence chain that cannot be trusted if an incident was to occur.
Users should be instructed to keep their passwords to themselves and should never share them with other users, including your manager or IT team.
The IT team should have procedures in place to support its users without the need for their individual passwords and should never ask a user for their password.
Never Store Passwords in Clear Text
A final point will be aimed at the developers out there, and that is to ensure that systems and applications never store passwords in clear text.
If an attacker gains access to a system that contains credentials in clear text, they can export this database of passwords, and use it in targeted attacks against other systems. Taking into consideration that users often reuse their passwords on different online services, this credential data can then be used to gain access and compromise accounts on other systems.
Always store credentials securely using cryptographic functions to hash the password prior to storage. To protect against rainbow table brute force attempts each password should also include a unique random ‘salt’ value, that is added prior to the password being hashed.
This post has aimed to outline the latest password security guidelines, based on the NIST (National Institute of Standards and Technology) and NCSC (National Cyber Security Centre) published recommendations.
Through our work helping organisations improve their overall security, it has been clear that a large majority still follow outdated password guidance. This not only creates headaches for their users but also results in security gaps that can be exploited by the bad guys.
For good password practice follow these Do’s and Don’ts:
- Do educate your users on good password security periodically.
- Do make life easier for your users.
- Do provide a more flexible approach to password complexity
- Do allow the use of password managers to improve password security.
- Do allow users to generate complex passwords.
- Do allow the copy and paste of usernames and passwords.
- Do control and monitor your account login’s and failures.
- Do change all default passwords as soon as you can.
- Do use password blacklists where possible.
- Do use MFA / 2FA where possible – preferring the use of an authenticator app.
- Don’t use the same password more than once.
- Don’t write down your passwords.
- Don’t make users change their passwords periodically, only change if lost, forgotten or compromised.
- Don’t set an aggressive lockout policy – locking out after 10 failed attempts is OK.
- Don’t share your passwords even with your manager or IT staff.
- Don’t store Passwords in clear text – ensure they are salted and hashed prior to storage.
Ironshare – Security Simplified