In my last blog article I talked about password best practices by touching on the way in which many organizations often struggle with maintaining strong password policy adherence while trying to stave off password fatigue for their end users. A flexible password policy with easy to remember requirements and long (or no) expiration time makes users happy and auditors angry, while a stringent policy does the exact opposite. It truly is a Catch-22 in that regard. As you might expect, however, the password policy is only one small part of password best practices.
The National Institute of Standards and Technology (NIST) has a draft specification (SP800-118) that outlines what it considers to be password best practices in terms of length, complexity, and expiration. Here’s a quick rundown of the specs:The assumptions that many of us make -including many password strength meters- when judging the strength and security of a potential password is purely based on math. Simply put, the more character combinations the better since it takes password cracking programs more time to crank through each potential combination.
Based on pure math alone, the above combination would give the end user a potential for 2.46114 different password combinations. That’s a pretty staggering array of letter, number, and character combinations and one that would probably engender a pretty good feeling of uniqueness and protection.
Password Best Practices - The Heart of the Matter
The problem with this “strength through complexity” approach is that it relies on the premise that a user would be willing to use a nonsensical password like “A3$5%xZ@” and keep changing it every 30 to 90 days to keep those mathematical combinations churning.
As humans we’re just not geared to create -and more importantly remember- such random patterns. In fact, there are many studies that show just the opposite: that our brains are wired around patterns and pattern recognition and will often times try to find patterns where none exist.
Understanding that we eschew random sequences in favor of patterns, it comes as no surprise that we end up with a host of passwords that are easy to remember, replicate, and recognize. Splashdata.com publishes a yearly “Worst Passwords List” that shows that the Top 10 worst passwords are not only incredibly weak but also incredibly old with many of the worst passwords on this list showing up year after year.
Here’s the Top 10:Even with all the news media coverage about hacking, stolen identity, and compromised credit cards, the general public is still reluctant to make any significant changes to their bad password habits. Password best practices are still continually overlooked in favor of usability.
It’s these kind of passwords that keep IT administrators up at night, as they are laughably easy to guess. When you couple this with some of the sophisticated password cracking computers that can run through millions of password combinations in mere milliseconds, you have the makings of a huge problem.
Some Data to Back it Up
Many users don’t fully grasp how easy it is for hackers to perform a brute force attack and quickly and easily compromise their accounts. To them the hackers are using sophisticated hardware configurations backed by extremely complex hacking software, when the truth is much different.
For as little as a few thousand dollars these hackers are able to configure a hacking rig, complete with pre-written cracking software (courtesy of the Dark Web) and easily start breaking into users accounts.
The other fallacy is that these calculations must take a huge amount of time and computing resources. Again, this is simply not true. Most of these systems are hand built for small money, yet have the ability to process around 100,000,000,000 (108) combinations per second.
To illustrate how quickly these rigs can calculate what many would consider a complex password let’s assume the following example using an 8 letter alpha password requirement (268 or 208,827,064,756) and see how long it would take to crack it:In a fraction over two seconds a properly configured password cracking PC has run through almost 210 billion different alpha password combinations and potentially gained access to them. And they’re only getting faster.
Is there an answer and if so, what is it?
The short answer is yes, but….
When it comes to password best practices organizations have to be prepared to use a number of different tools to minimize their risk profile. In terms of password best practices, here is a list of 7 Tools and Techniques that we recommend:
- Make passwords as long and complex as you can.
- Longer lengths and multiple character sets go a long way towards increasing security.
- Complexity adds time and hackers typically won’t spend a great deal of time if they don’t have to. They will simply move onto the next target.
- Make them hard to guess (see the list above on what not to do).
- Common words and number combinations don’t stand a chance.
- Developing a password built around a mnemonic that makes sense to you is easy to remember but tough to replicate, which also makes for a viable approach.
- Each account should have its own unique password.
- This minimizes your password footprint, so if you lose one you don’t compromise all of your others.
- Consider using a password manager like LastPass, KeePass, or 1Password.
- These tools can randomly generate unique passwords for each site and allow you access to an encrypted vault through a master password. Just make sure you don’t forget that master password, and that it is as strong as can be.
- Understand the difference between the “Remember Me” features on your browser vs. on a web site. This feature can be useful provided the user remember to logout of the web site when they are done using it. Users and administrators need to use this feature with a certain level of caution and understanding, especially if they are sharing a device.
- Web site “Remember Me” stores a cookie on your machine that is specific to the website (e.g. Gmail) and can only be read by that website.
- Browser “Remember Me” stores the login information for various web sites in the browser itself.
- Use or provide two-factor authentication (2FA) for your users.
- 2FA relies on something you know (your password) and something you have (like a mobile device) to verify your identity. It’s simple, fast and effective. Most password best practices call for similar pairing.
- Many websites allow you to register a device for free and once registered you are required to enter in your password and a passcode that is sent to you on behalf of the site you are trying to access.
- Incorporate self-service password reset into your backroom.
- Users hate the drudgery of having to reset complex or forgotten passwords. A strong SSPR solution can save both users and administrators the headaches.
It’s clear that there is no one-size-fits-all approach when it comes to password best practices. There are some very obvious areas like complexity that can be addressed quickly and some more nuanced ones like 2FA or a good password manager that may take a little more time to assess and implement.
In either case -whether you are an administrator or user- establishing good habits with regard to password management is critical. Being proactive and aware to potential threats is one of your best allies, and the most appropriate summary of password best practices.