Passwords Are Dead, Long Live Passwords
As always, World Password Day is a great time to review our personal password management and hygiene practices to ensure we are safely and securely interacting with internet connected platforms and accounts. It seems that not a month can go by without hearing in the news that another service provider or cloud platform has been breached, disclosing tens of thousands, if not hundreds of thousands, of user credentials, at which point individuals – if they are even aware of the breach – are then required to go reset their password with a new, unique and complex password.
This seems minor until you couple it with the fact that the average individual has around 90 online accounts but only has 10 to 15 unique passwords, meaning that the majority of their passwords are iterative (“P@ssword1”, “P@ssword2”, etc.) or non-unique. The system we’ve ended up with seems to consistently promote bad password hygiene by requiring long, unique, complex and nearly impossible to remember strings of characters which we rotate with alarming frequency, whether or not they have been compromised. It’s no wonder that people experience password fatigue as they are constantly asked to handle, manage, maintain and rotate tens, if not hundreds, of unique passwords across multiple unique sites.
There’s got to be a better way.
As it turns out, the industry has started facing this problem head-on in multiple ways. The National Institute of Standards and Technology (NIST) released their Digital Identity Guidelines in 2017 to support proper password hygiene and instate technical guidance around how organizations managed authentication data and password data. In this publication, they bucked the typical trend, explaining that technology had created new opportunities to protect user credentials while stepping away from forced 90-day password rotation and expiration.
While somewhat of a departure from previous password management guidance, these guidelines provide a realistic framework for organizations to be empowered to support proper employee password hygiene and behavior while reducing the risk of credential misuse and disclosure.
These recommendations boil down to the following:
1. Require a long password but remove the complexity requirements.
As it turns out, creating a 12-character password that is completely random and that includes upper case, lower case, numbers and symbols or punctuation makes for a difficult to hack password! The problem becomes that that password is also probably excruciatingly difficult for the user to remember, and the more passwords like this that a user is tasked with remembering, the more likely it is that the user will fall back to poor password practices, such as using a shared or iterative password between services.
To address this, it is recommended that users start to adopt the mentality of a “passphrase” instead of a password. For example, the online pop-culture webcomic XKCD wrote a comic strip about passphrase use that shows how as a passphrase, “correct horse battery staple” is easy to remember, yet notably more secure than the infinitely more difficult to remember “Tr0ub4dor&3”. This concept of passphrase use promotes the use of secure, but memorable passphrases that work to reduce poor password practices. Of note, after this comic was published, the password “correct horse battery staple” was then repeatedly found in breaches – so please don’t use that example as your actual passphrase.
2. Inspect what you expect – monitor your credential use, react quickly and appropriately.
Everyone’s favorite day is that day they sit down at their computer and are greeted with the prompt informing them that their password has expired and that they need to choose a new one. Then, once they’ve chosen a new password that meets the complexity requirements, they need to go device by device and update the stored password to make sure that they can continue to communicate with company resources. This inevitably leads to credential synchronization issues, where a mobile device may have an outdated password and be attempting to authenticate, leading to account lockouts or unneeded authentication noise in security event logs.
As it turns out, new guidance specifically recommends against enforcing mandatory password rotation at set intervals and instead replaces it with deeper monitoring around the use of credentials in an environment. If an organization can properly monitor who is authenticating to what and using which credentials, they can properly monitor for behaviorally anomalous use of those credentials, leading to the ability to monitor for and react to the inappropriate use of credentials due to a breach or credential disclosure.
This monitoring workflow and the associated visibility stops organizations from having to rely on third parties to inform them of credential breaches and brings the technical and administrative controls back into their direct control. At that point, it doesn’t matter if their vendor did or didn’t know they were breached and had or had not disclosed the nature of the breach — the login from an unauthorized location triggered an alert that notified the SOC that the credentials were likely disclosed due to the anomalous login, the SOC reset the user credentials immediately and contacted the user, and everyone went right back to what they were doing with no harm done to the organization or the network.
3. For the love of security, use a password manager.
You don’t have to do this alone! There are all manner of tools out there that can help you, as an individual or an organization, properly manage your passwords and passphrases. As I’ve written about in a previous blog about ways to increase personal security, there are multiple tools out there for password management and each have their own benefits. You can self-host, cloud-host or purchase password management-as-a-service. Licenses exist for single individuals, teams and entire organizations and enterprises.
It is strongly recommended that organizations leverage an enterprise-wide and centrally managed password management tool for their Information Technology workers. Additionally, depending on the type of organization and the type of trust model being implemented, organizations may choose to license and deploy password managers across their entire user base to promote more effective password management and hygiene practices.
4. Last but not least, look to the password-less future.
Continued advancements in software and hardware have continued to expand the ways in which we can authenticate with our devices and gain access to corporate or network resources. With the addition of Windows Hello and Microsoft’s Modern Authentication comes potential for us to be recognized by our faces and directly granted access due to biometrics. Physical token-based multiple-authentication devices, such as the YubiKey, provide a second factor for authentication that don’t require memorization from your users. Adding to that, emerging standards like WebAuthN and Fast Identity Online (FIDO2) are moving us closer and closer to a world where passwords are no longer needed for online authentication between multiple disparate platforms.
Where would you like to be?
With any set of technologies, an organization must take a pragmatic look at their technology platforms and determine what makes the most sense for their users. At ivision, we deeply recognize the potential damage that poor password hygiene and management can cause, and we are passionate about helping organizations leverage the multiple capabilities of several technology stacks in support of migrating their platform to modern authentication and would be happy to help. In so many cases, it’s assumed that an increase in security results in a decrease in usability – this is a perfect example of a case where properly implemented technology can both increase security while also reducing complexity for your users. Read more about ivision’s security capabilities or contact us directly to start a conversation