Passwords, time for them to go?
Password security for many companies and services are still based on premise such as authentication being a discrete event: the password is known only by the user and is kept safe and secure. While these may have been valid assumptions at one time, it is no longer the case, even if password policies and technical controls requiring complex passwords are in place.
Common password attack tactics and techniques
• Social engineering and Phishing – you unknowingly but willingly give up the secret
• Shoulder surfing – someone watches as you enter your password or pin
• Password littering – writing the password(s) down on Post-Its and other material and leaving out in the open near your computer or device
• Hacking - Intercepting passwords or stealing them electronically by gaining access to the network or a physical device, e.g., stealing a database
• Keylogging – a small bit of mischievous code recording your every keystroke and sending on the bad actors
• Brute force or password spraying attacks – trying multiple passwords against one identity or one common passwords against many identities
Numbers, special characters: Does password complexity improve security?
Introducing password complexity to password policies, such as requiring numbers or special characters, is intended to improve security and reduce the likelihood that someone will be able to guess the password or crack the password via a brute-force attack.
But does it really? NIST Special Publication 800-63b analysis of breached password databases suggest otherwise. The challenge of us humans to effectively memorize complex, arbitrary passwords (also referred to as “secrets”) tends to drive the adoption of a passwords that are relatively easy to guess. In general, while a level of complexity is important, password length provides more robustness and resistance to the active password cracking attempts. And while brute-force and other “guess” attacks are still in use, there are other, more sophisticated attack techniques in use that will continue to grow and evolve.
Passwords – the (not so) hidden costs
Over 80% of data breaches from 2018 through 2020 (Verizon Data Breach reports) were the result of compromised password, with the majority of those lost passwords related to success phishing attacks. Another contributing factor to the success of these attacks is related to user inclination to use the same password for multiple accounts, both business and personal. If one account for a user is compromised, trying the same password on other accounts for the same user has a high probability of success.
In addition, the use of passwords carries a high operational cost for the business. With so many accounts and passwords it is very common for rarely used passwords to be forgotten. While there are self-service tools to assist with password resets, these are an investment in themselves and typically never cover 100% of applications. As a result, related help desk tickets and support will invariably continue to be a cost along with associated loss in productivity.
Last, but certainly not least, in addition to the security and financial impact related to passwords, there is impact to the end-user experience. Adherence to password policies requiring expanded password complexity, regular rotation such as every 90 days and restricted password reuse all adds friction to the user experience. The more a user has to come up with unique complex passwords across multiple systems, the more likely the user is to forget the password, use an easily cracked password and leverage same password across multiple accounts. The use of password management tools, which users are either voluntarily or required to use, does provide a level of improved security, though it introduces yet another tool to manage and associated costs.
All resulting in a reduced security posture and added operational costs for the business.
Is there a better way?
Organizations need to consider modern authentication solutions, with adaptive authentication that includes contextual, risk-based, behavioral analysis to drive decisions and authentication levels required, including step-up with additional multifactor elements (biometric, one-time code, hard token, etc.).
Consider eliminating or at least reducing password complexity requirements and to increase length. This is called Entropy, a mathematical calculation as to how difficult it is to brute-force/crack a password. The higher the level of entropy, the more computational horsepower and time it will take to crack the password.
Does password complexity increase the entropy of the password, preventing attackers from guessing the password or cracking through brute-force in a time and cost-effective (for the attackers) way? It really does not. Or if it is complex enough to significantly deter the attackers, it makes life for the end user more difficult, leading to the other behavioral impact noted previously. Mathematically complex passwords tend to accomplish the opposite and reduce the level of entropy. Entropy is a function of the number of available characters and the length of the password with length having the biggest impact.
As an example, “ABCDEFGH” would take 5 seconds. Alternating between upper- and lower-case results in an increase in time to crack to 22 minutes. Increasing to “ABcdEFghIJkl” will take 300 years to crack. A very simple example of how length significantly improves entropy.
With this being the case, reducing the password complexity rules and opting for longer yet simpler password will provide a higher level of entropy, helping to reduce end user burden and increasing the level of assurance and security for the organization. Per NIST special publication 800-63B recommendations, a minimum of 8 characters for human entered password is recommended. It is not unreasonable to allow a larger upper number of characters. NIST suggest allowing at least 64 characters for the use of passphrases. A “passphrase” is a password consisting of a series of memorized secrets, including spaces, of relevance to the user. An example passphrase might be “Sunday Family Picnic Always Fun”. As a comparison to the previous brute-force time estimates, this passphrase would take one duodecillion years. Duodecillion = 10 with 39 zeros - a pretty large number. Perhaps a bit overkill, but hopefully further illustrates the effect of length on entropy.
Another key item to note, based on the NIST 2020 password guidelines regarding password policy. Do NOT set the password to expire. While this is counter to traditional views, changing a password on a regular basis actually increases the risk of exposure. Only change when suspect or aware of actual compromise.
As with any human, industrial and technical evolutions, at some point the old way must go away or at least evolve. Passwords have served a noble purpose for many years. Time for them to go. There are solutions and technologies available and being developed for a password-less user environment. They are still maturing and require not only some technical pivots by organizations but also change in culture. So, full adoption is not yet around the corner.
In the meantime, consider the steps discussed to help provide improved password security while simultaneously reducing cost and improving the end-user experience.
- Identity & access management