Passwords continue to be the primary means that enterprises use to protect user identities. But what is protecting the passwords? After all, cybercriminals only need one compromised account to carry out their dastardly deeds within your enterprise. You on the other hand must protect every password for all of the users across your entire IT estate. Simple math shows that the hackers have the upper hand. That is why Forbes Magazine recently proclaimed that passwords are the weakest defense anyone can rely on in a zero trust world.
Reusing Passwords across Accounts
The password reset seemed like a good idea in its time. If we reminisce about the era in which it came about, it was a time in which users had very few accounts to manage. Twenty years ago, few users had any online accounts other than with their employer, ISP, and email provider. It is a completely new game today. According to a study in 2015, the average user has 90+ accounts now. That’s a lot of passwords to have to juggle, which is why in as early as 2011, 60 percent of users admitted to using a single password across multiple accounts. Today that percentage approaches 90 percent. According to a study in 2018, 68 percent use the same password for everything.
Users Choose Poor Passwords
With so much riding on passwords today, one needs to put some thought and effort into selecting a robust password that is not predictable or easily cracked. Unfortunately, there are a lot of bad passwords out there. The most common passwords of 2019 pretty much duplicate the lists of prior years. Passwords such as “12345678,” “password1” and “qwerty” dominate the list. This is why security minded companies resort to strict password policies. These policies enforce things such as:
- Minimum number of characters
- Minimum password age
- Maximum password age
- Complexity requirements
Complexity requirements usually include the utilization of both upper- and lower-case letters, numbers, and non-alphanumeric characters. Many satisfy these requirements by substituting numbers for letters (such as the number 3 for the letter E) and consider it a clever practice.
For instance, a user that uses the password “iLoveDogs” could then use a variety of variations to satisfy the basic policy such as 1lov3dogs, Iloved0gs, iLovedoG$, etc. This is referred to as leetspeak and unfortunately, hackers are all too familiar with it. In other cases, they also might append the previous password with a number or year.
Hackers search for fuzzy password matches in which the same password is reused repeatedly using a single change. They try multiple variations of common passwords using these types of substitutions. There is not anything clever about it.
Just because users are not using obvious passwords such as “qwerty123” or “Password2020” does not mean they are not using passwords that are easily cracked. Users often use context specific passwords that are highly predictable. Cyber criminals are aware that commonly use passwords that are unique to their local area such as a local or regional sports teams, tourist attractions, or local food preferences. A company based in Chicago probably has users selecting passwords that include catchwords or phrases such windycity, thebears, wrigleyfield and jordans.
Why Popular Password Beliefs Must Evolve
A Forrester Research study cites that 77 percent of IT departments implement password expiration policies for all staff on a quarterly basis. While strict password policies can be justified by internal IT, users often view perpetual password resets as oppressive. Not only is the continual reset process openly resented by many, it can contribute to the wangling of the entire process as users strive not to create a secure password, but merely satisfy the reset request with minimal effort. The result is that users choose predictable passwords that are easy to remember and then modify them by a small incremental change when summoned to. An example might be ABc1234! becomes ABc1234#. In other words, the forced practice of password resets is actually contributing to less secure passwords. What’s more, password resets initiate help desk calls that cost money.
It has also seemed logical to prevent users from the ability to copy and paste passwords into their logon screens. While it may seem counterintuitive, allowing users to paste their credentials encourages them to select longer passwords and utilize password managers rather than writing them on sticky notes that are attached to their computer. Therefore, while the newest password recommendations are contrary to the accustomed practices, recommended practices have evolved with the times. Some of the former suggestions are as follows:
- Remove periodic password changes
- Drop the arbitrary password complexity requirements
- Retire the use of password expiration policies
- Do not use password hints such as the questions we have all grown accustomed to
You can read about all of the 2019 NIST password guidelines here.
Pick a Robust Password and Only Reset when Compromised
The best thing your users can do is select a robust password. A longer password that does not include predictable words and character arrangements is far more effective than modifying one character every 90 days. Passwords should be vetted against lists of commonly used or compromised passwords. These can include cracking dictionaries as well as collected compromised credentials listed on the Dark Web. There are also services available to alert you once an account or password has been compromised. Of course, you should not solely rely on passwords in today’s threat dominated world. Passwords are only one part of the Multifactor Authentication (MFA) equation.
“80% of hacking-related breaches leveraged weak and compromised passwords.”
A reasonable security strategy can help mitigate your risk. Assess your safeguards. Scope and quote a project to prepare for 2020.