Many of us have a love/hate relationship with passwords – we know we need them to help keep our information safe, but who isn’t sick of coming up with the dozens of hard-to-remember passwords necessary for the myriad of sites and services in our lives?
To recognize World Password Day this year, we will review the latest in best practices on creating and maintaining passwords. If you haven’t reviewed your corporate – and personal – policies on passwords, today is a great day to start the conversation.
Background
While ransomware is the biggest threat to business, compromised or weak passwords are the primary means of accessing a system to deploy that malware. According to Verizon’s 2020 Data Breach Investigations Report, 37% of breaches involved stolen or abused credentials. How are the hackers getting these credentials? According to another 2020 study, there were an astounding 15 billion sets of userid/passwords available on the dark web – up 300% since 2018 – featuring stolen data from over 100,000 separate data breaches. Some five billion of these represent unique pairs of credentials, without any repeated elements.
Historically, organizations built their access control frameworks on a foundation of unique and complex passwords, changed frequently. However, recent studies have questioned the efficacy of some of these traditional practices: ironically, following some of these familiar guidelines may create weaker password regimes – not stronger ones. Analysis of password resistance to attack, coupled with a better understanding of user behaviour in password management, have revealed better ways of doing things.
The National Institute of Standards and Technology (NIST) in the U.S. has developed arguably the definitive set of password best practices in their Digital Identity Guidelines. Canada, the U.K.’s National Cyber Security Centre (NCSC), and even Microsoft have provided recent guidance echoing the NIST research.
Current Best Practices
1) More focus on increased password length over password complexity
The historical focus on complexity was based on making it difficult for hackers to crack passwords “beyond the alphabet”. However, enforcing this rule often leads to users re-using the foundation of their password with a minor modification (e.g., adding a “counter” to the end of a password, or substituting zeroes for “O” and ones for “L” in the credentials, or adding a perfunctory “!” at the end of a word). Attackers are well aware of these strategies, so if they have access to a list of old passwords, they can figure out new passwords with a surprising degree of effectiveness.
Statistically, longer, simpler passwords are more difficult to crack than shorter, more complex passwords. The minimum length of a password should still be eight characters, but for more sensitive content, NIST recommends passwords reaching up to 64 characters. If memorizing a string of 64 random characters seems daunting to you, you’re not alone! Understanding this, NIST espouses the use of passphrases. This enables the user to come up with a long password based on a series of more familiar words, which is more effective. For example, a 25-character password like “BEING CYBERSAFE WITH ISA!” is easy to remember, but will still take a significant amount of time to crack.
2) Employ a “deny list” of unacceptable passwords
NIST recommends using a “deny list” of commonly-used passwords, thereby blocking users from selecting old favourites like “12345” or “password”. Github offers a list of the 100,000 most frequently used passwords, a list that includes common words, repetitive strings, and keyboard-adjacent sequences of characters. HaveIBeenPwned.com also maintains massive lists of compromised passwords, which can be used to check for stolen credentials and/or building a deny list. If your authentication system allows integration with user-defined deny lists, these are great places to start. And please note: hackers can use these lists as a head start in trying to crack your passwords, so make life more difficult for them by avoiding the use of passwords on these lists altogether!
3) Never reuse passwords across sites and services
Massive data breaches are practically daily news; compromised user credentials are constantly stolen and posted on the dark web for extortion or sale. Hackers can easily use these sets of userids and passwords to pivot against other common websites and services (e.g., if your favourite retailer is hacked and your userid/password are the same there as you use for Facebook or Amazon, you face a huge exposure). If you use unique passwords for each of your online resources, you limit your exposure should any one of them be breached.
4) Eliminate regularly-scheduled password resets
Historically, frequent password resets were seen as a way to strengthen defenses. However, studies have suggested that this approach is often defeated by the human element. Users, exhausted by coming up with new passwords so frequently, begin to use simple variations of existing passwords, making them easier to determine if an older password has been compromised. Even if a password is being abused in a longer-term breach (in which a password is stolen, then used by an unauthorized person over an extended period), the tendency to only make slight modifications to a password makes the new credentials fairly easy to crack.
NIST now no longer recommends regular password resets, and that passwords only need to be modified in the event of a suspected breach or change in role/personnel. Where companies still prefer to use regular resets, it is encouraged that “similarity checking” and “password history” validation is also in place to force users to come with novel credentials each time.
5) Allow password “copy and paste”
In years past, NIST had encouraged disabling the “copy and paste” feature on sites and services, concerned about the potential for “paste buffers” to be hacked and passwords stolen in transit. The latest guidance has reversed this position, and NIST now recommends that sites and services allow passwords to be copied and pasted on websites and desktop/mobile apps. This reduces the risk of users resorting to writing down passwords, and promotes the use of password managers that offer secure and time-limited copy-paste functionality as part of the application. Many password managers allow you to transport passwords, or even automatically launch websites, without ever seeing the credentials; this allows users to make their passwords appropriately long and complex as to avoid compromise, without the worry of having to remember them.
6) Time-outs on failed password attempts
NIST also recommends restrictions on failed password attempts. This approach helps thwart brute force attacks that attempt to access a site or service by repeatedly testing passwords until one works. Restricting the number of passwords by introducing a time-out or other limitation helps mitigate this threat. Limits can be applied to the number of login attempts per device or per address, and gradually increasing time-outs (one minute “sleep” after three failed attempts, five minute “sleep” after the next failed attempt, etc.) make brute force attacks impractical. An account lock–out should also be introduced; e.g., after a certain number of failed password attempts, an account should be disabled and admin involvement should be required to re-enable the account. This approach also helps alert IT staff as to a potential breach situation, particularly if many users are affected at the same time.
7) Don’t use password hints
Password “hints” are a popular way of confirming the identity of a user that has forgotten their password. The popularity of these solutions, coupled with the tendency of people to over-share personal information on social media posts (or by answering online quizzes) mean that these simple profile questions can easily be harvested by a determined attacker. How many services and websites can you think of that have asked for your mother’s birth name, your first car, or the city you were born in? NIST recommends scrapping this practice.
For sites that still use these basic profile questions, consider the use of fictitious answers to the questions; responses that only you will know. This will prevent the answers from being ferreted out by someone else online.
8) Use Multi-Factor Authentication
Two-factor authentication (2FA) and multi-factor authentication (MFA) are still the most effective ways of fending off attack. Even if a password is compromised, subsequent “shifting” credentials act as a second layer of defense. As referenced in a 2019 blog post, Microsoft estimated that enabling MFA can block 99.9% of account compromise attacks.
Typically, there are three types of identification that can be used when employing additional authentication factors:
+ something you know: a password, PIN, or secret answer to a question
+ something you have: a smartcard, physical token or key fob, or mobile device
+ something you are: retinal scan, fingerprint, voice, or facial recognition
Multi-factor authentication will use some combination of at least two of these challenges in order to mitigate the risk that any single one of the methods has been compromised or coerced. Microsoft also recommends implementing “risk-based” multi-factor authentication, so if suspicious activity occurs (e.g., a login from an unfamiliar device or at odd hours, or requests for more than one concurrent login), supplementary challenges can be provided to confirm a user’s identity.
9) Train staff on password best practices
Of course, a lot of this comes down to the human element. Be sure that “password hygiene” is a prominent part of your regular, engaging security awareness training. Ensure that your IT team stays current on the best practices around password management. And maintain an open and continuing dialogue on the importance of secure authentication, balanced by the practicality of “getting stuff done”.
If you’re interested in learning more about the latest in password management and authentication, contact ISA Cybersecurity today. We have three decades of experience in providing cybersecurity services and people you can trust.