The trouble with passwords…
Trouble... We’re not talking about the yellow sticky-notes on the side of monitors or employees sharing passwords. Password composition is at issue. Passwords used today are generally the same as what we were using 20 years ago. This might be acceptable if all other variables within Information Technology have remained the same since then. They haven’t. Those who have not adapted may have placed their IT assets at considerable risk.
Will my password effectively secure everything?
Twenty years ago, probably. Remember the old IBM auto-password generators that gave us hard to remember passwords with the mix of alpha/numeric and special characters that were 8 characters long? That is because that is the number of spaces the operating systems and applications would recognize for passwords. The mix of characters from the password generators might give us something like this: n&}P2^XJ …pretty easy to remember, right? It must be secure because it looks so complex! Not true either. Today’s password cracking arrays make quick work of this password. A couple of minutes to be exact. And, this is where it really goes fast! In 2012, ARS Technica reported that a 25-GPU cluster could crack every possible combination of 8-character passwords in under 6 hours. Again, that was using 2012 technology. What about today?
Still feeling secure with your enterprise password policy?
Justifiably so, you are possibly starting to break a sweat while digesting this habanero of a topic.
Today, we understand much more about strong passwords than we did in the past. NIST has modified their guidelines for password deployment, which we’ll discuss further shortly. What defines a strong password? Is it upper-case, lower-case, numbers, special characters? This is what we’ve been taught. The answer in the past has been yes to all of the above.
To understand what delivers a strong password, we must know what drives password cracking. The two predominant forces are tables/dictionaries of common passwords, and brute force. Tables and dictionaries provide long lists of commonly used or suspected passwords. The crackers can check your password against entries in the tables at light-speed. Brute force involves guessing each character in your password, and takes a little more time due to the number of variables (upper/lower case, numeric, special characters) to run through. But, remember, all possible 8-character combinations are cracked in less than 6 hours…
What is a strong password?
Entropy and Search Space come into play. What is Entropy? Well, think of our complex, hard to remember, but easy to crack password from earlier: "n&}P2^XJ". Entropy relies on excessive complexity to be “unpredictable,” in theory. But, we saw that our example password could be cracked in a couple of minutes. Is Entropy still delivering strong passwords?
Search Space factors in the length of the password in terms of total characters and the number of possible variables included in the password (upper/lower case, numeric, special characters) to determine what the total number of possible passwords can be derived from that combination. In simple terms, the “length” of the password in terms of characters is most important, with some complexity added.
Let’s look at the statistics in this table:
SEARCH SPACE = POSSIBLE PASSWORD COMBINATIONS
EASY TO REMEMBER
EASY TO CRACK
TIME TO CRACK
1.06 hundred thousand trillion centuries
While “Thisisagreatpassword!” takes a large amount of theoretical time for advanced cracking systems to solve it, does that make it a strong password? Yes and no. Statistics is a funny thing. Have you heard of anyone winning the lottery on their first try? It does happen. Likewise, depending upon how password crackers have their search or brute force mechanisms structured, they too could hit your password on the first try. The point is to make it as difficult as possible for the password crackers to ever crack your password.
Back to NIST…
NIST has revised their password guidelines as they do periodically. Currently, they still suggest 8-characters with complexity as the bare minimum for a password. Should that be your enterprise password policy? Probably not, unless the variables affecting your Information Technology environment are the same as 20 years ago, or you can afford to lose control of your data or afford regulatory fines for those losses. The rest of us want a more secure password policy. This is also where NIST steps in. As a maximum, NISTS’s revised guidelines recommend 64 characters for your policy with some complexity. Why? Because they realize the value of a long password in protecting your IT assets from credential exposure via password cracking.
Are Password credentials enough to protect your assets?
No. Passwords are not enough to provide secure authentication. Once again, things are not as they were 20 years ago. Our practices shouldn’t be either.
Multifactor Authentication should be used to enhance strong passwords. Multifactor is something you are: biometrics, something you know: password/PIN, something you have: FOB or card (magnetic strip or RFID).
Sure, MFA equates to more cost, administration, user training, etc.. But, can you afford to lose control over your data (PHI, PII, Financial, etc) Where are things going in the next 20 years? Quantum computing for example? Now how long will it take to crack a strong password?
Use MFA, with a strong password/passphrase of at least 14 characters with some complexity. Defense in-depth, layer your security.
Credit to: ARSTechnica.com, NYPost.com, NIST.gov
Brian R. Kunick, is a CIO/CSO servicing the operational and security requirements of the enterprise.
We talk about what was good enough 20 years ago, isn't good enough today. It's amazing when you think about it and no doubt, soon enough we'll be saying "What was good enough 3 years go, isn't good enough for today!"
Things are evolving exponentially faster today. The technology that allows the attackers to crack PWs is evolving at light speed compared to 20 years ago.
I feel that MFA will become the base standard for authentication and access control within the next few years. If you don't have it, you'll be considered way behind and COMPLETELY vulnerable to brute force attack.
I think the battle is to try and walk the familiar line between ease of use versus security. I agree the overly complicated NIST requirements and the horrible password practices that it spawned were actually detrimental to good password practices. It has to be at least 14 characters long, 1 from each group, no character repeated more than twice in a row, not a common dictionary word or a L33T version of said words, AND don't write it down. Oh yeah, have another one ready to go in 90 days because we are going to make you change it and it can't be any of the last 10 really difficult but easy to remember passwords that you came up with.
I write my passwords down in a big book. WHAT? You say?
I reuse passwords? Again you may be shaking your head saying that I am violating all of the "good" password rules we learned while preparing for the CISSP. But here's my catch:
If you got a hold of my book you would not be able to log in with any of them without cracking my code. Basically it is more of a password hint book. When I reuse my passwords I do it because I group like minded accounts together. i.e. all of my learning/training accounts use the same password so if you were able to crack my code you would only gain access to my learning accounts. And the passwords for my financial accounts are way different (and I do not reuse a password for the important accounts or vary them enough that you would lock them out before guessing). Each email address has a different password. My password reset requests are sent to my phone and a back up email address.
We have got to find ways to help people come up with more secure methods for using passwords while at the same time making it easier for them. I like the example showing how using a simple phrase can make it harder for the attackers to crack but easier for the user to remember. I am a big believer in using Hidden in plain sight passwords. Got a favorite phrase on a sign in your office? "Those Who Do Not Remember History Are Doomed To Repeat It. - Albert Einstein. 1947." = TWDNRHADTRI-ae1947 that would be pretty hard for a machine to crack but right where the person using the computer could see it or remember it. (And please do not assume that that was a correct quote and attributed to the correct person and timeframe, I just made it up to provide an example.) Teach the users how to make it simpler and easier for them. Also educate on how a hacker would compromise their accounts. Go through the process they would use. Show them the vulnerable points in their thought process around passwords. Show them how answering a seemingly innocent quiz/survey on Facebook of "what kind of Princess are you?" could be getting them to disclose the answers to the security questions on their verification process for password resets. (i.e. what is your favorite color?, etc)
The answer lies in education. If you are not involved in your new employee education process at work, get involved. Ensure what the new employees are given is timely and useful. If you hear misinformation being given out at family gatherings, speak up and educate them.
I use a password safe myself. Bare in mind this approach has some pros/cons also.
The good part:
1) Human Memory: I can track 200 unique passwords in a single spot. I really only have to remember the password to get in to the password safe.
2) Password Generators: I can have the safe automatically generate random passphrases of appropriate length that also fit the varying complexity requirements for each account.
3) Personal Dictionary: As sites get different passwords, an attacker can use my cracked passwords as a personal dictionary attack to try to crack sites with better security using my password patterns from sites with weak securty.
The items to watch:
A) Encryption Strength of the Password Safe: AES 256 or better is recommended.
B) The Password of the Password Safe needs to be really, really, really, strong. It protects all other accounts you have access to. It should actually be no less strong than any account with the safe.
C) Password Capture: the system where the password safe resides is the gold mine for a key logger or protected memory capture in clear text of the password for the password safe. Tripple up on system hardening of the system with the password safe. Information Security operations are finding hacked smart phones of systems administrators where the password safe was downloaded and password captured usually by a key logger.
D) Automatic password entry into a website, tool for a reduced sign-on experience means that the browser cache is a prime target for capturing passwords.
Recommendations for safer uses of Password Safes or Encrypted Drives with vital data files:
1) Never, Ever store the password for a password safe in a Key Chain, Browser Cache, etc. MEMORIZE the beastly password.
2) Use Physical Security to protect the sysem with a password safe. An dual mode attack could seek physical accesss to the system to download a copy and then off site submit the safe to cracking efforts. The physical security measures should be aimed to give you a tip-off that this has happened so the safe contents and safe password can be changed faster than the crack can succeed.
3) The password is not an excuse to relax on password strength: complexity, length or uniqueness per site. If 74% of users have the same password for their online banking as they use of other sites -- like facebook -- then all the attacker needs to do is hack facebook then guess your bank. Your safe will not help you protect passwords from hacks of weaker websites. Use the safe to your advantage and be unique per site.
4) Go long even if the password is randomly generated. Pre-computed rainbow tables can still crack passwords whether they are in your safe or not. One digit longer than an attackers rainbow table saves the day.
@arctificThe Point with the password safe is you cut the numbe rof passwords you have to remeber down to 1 (the vault password) which you can then choose carefully and make as complex as you like.
most of my previous comments were paraphrasing the latest advice from the UK NCSC, and my favourite password activist Troy Hunt, but its clear to see we have basically created a system where people are forced to create passwords that are hard for humans to handle and just as easy for computers to guess, leading to work-arounds with passwords like P45sw0rd101! which are in most crackers first tranche of tries, but password strenght meters call them secure.
The simple plan is:
Dispose of complexity and increase minimum length (more chars increases combinations x^n more options is only nx)
encourage the use of password vaults
only enforce password change on indication of breach
dis-allow known or common passwords
Troys post ties it all together:
Password strength re-imagined