It probably goes without saying, but password security is one of the biggest pain points for any organization no matter their size or the industry they operate in. Passwords are one of those security issues in which no one is immune, everyone is aware of, and nobody wants to be responsible for.
A common theme I see recurring over and over is that organizations tend to blame the end user for poor password security. This blame falls in line with the philosophy that the human is the weakest link and we must somehow modify human behavior to resolve this huge security issue that plagues all of us. This thought process leads to two standard solutions. The first solution tends to be security awareness training focused on password security. The second solution tends to be the publication of password security policies that are then in turn enforced by software or technical controls.
Both of those solutions probably fit right in line with most of our own thoughts and ideas on password security, as it sounds very reasonable. If the user is to blame for weak password security, we most certainly should deal with that issue with behavior modification and protect our company with written policies that are monitored and enforced with technical controls. But is that really enough?
Lets first look at the five most common “best practice” recommendations I have seen for password security:
- Choose a good strong password that is hard to crack (complex password).
- Never share a password.
- Never reuse a password for different accounts.
- Change your password often and on a regular frequency.
- Never write your password down or store it.
This short list is obviously not the end all be all list of recommended best practices for password security, but I am fairly confident these five basic items can be found in a vast majority of the password security training and policies that exist today.
If these are the five most common best practice password security recommendations what could possibly be wrong with them? The answer is really quite simple in that for most of us they are completely unrealistic.
For example, I personally have well over 200 authentication credentials I have to maintain and I bet most people that moderately use the Internet maintain well over 20 sets of authentication credentials for various services and applications. Can anyone possibly follow these five best practices for more than 20 or so accounts?
Basically we are asking our users to memorize 20+ uniquely random alphanumeric and special character strings of data on a rotating period of time. Strings like this, “$gY7-L2v”, which is just 8 characters in length. Can it really be done?
Most security awareness training techniques with great intentions tend to recommend using memory tricks. One such memory technique is visualizing an unrealistic story line for each character as described in “Moonwalking with Einstein” by Joshua Foer. Another is using a photograph, image, or object as a reference to construct a three to four word sequence that describes it. For example take the following image:
Constructing a four word password string related to this image could be something like “[email protected][email protected]+f1Ght”, which is just “ninja cat fight” with a few character substitutions. Another common technique I hear recommended all the time is to use lyrics from a favorite song.
All of these memory techniques work in theory, but can the average human use them effectively for more then say 20 password strings? Based on our penetration testing data results I would venture to say no. We constantly find users reusing passwords and storing passwords in text files, which is probably not much of a surprise to most of you.
So if we can’t fully blame the user because we are asking them to do the impossible, should we blame the organization? Well I believe the blame should be shared equally. The excuse that password security is completely broken solely because of the user really shouldn’t fly.
Organizations really can’t fully solve this problem all by themselves, there are however options available to these organizations that can greatly reduce the password security vulnerability. Password security managers or password vaults exist and have come a very long way in the past few years to help resolve this issue.
A few popular password management options are: LastPass, KeePass, RoboForm, Password Genie, SpashID Safe, and DashLane. Some of these support different enterprise feature sets, while others do not. Organizations should create an evaluation matrix with a set of required features and then evaluate each of these solutions and others based on those requirements before selecting one, as each one of these solutions comes with its own set of pros and cons.
These password security managers will not completely solve the password security problem, but they will greatly reduce the risk associated with it. There are however new risks we should be aware of such as the recently disclosed LastPass XSS attack, which is a pretty ingenious social engineering attack. Of course this is just one example, and LastPass is not the only password manager that has patched security vulnerabilities like that one, for example KeePass had a similar issue a few years back.
Just because a security control, such as a password management solution, is not bulletproof does not mean we should not implement it. If we made all our security solution selections based on that criteria, we would not purchase or implement anything! Just about everything in technology can be misused, abused, and most likely compromised in some shape or fashion. We should, however, be aware of the attack surface for any solution we select and then make a well educated risk based decision.
If organizations implemented a password management solution, continued to provide password security awareness training, and enforced password security policies with technical controls what impact would it have on the overall security posture of that organization? My guess is it would be a very positive one! I recommend we share the blame of weak password security with our end users and start thinking of solutions that can reduce risk and strengthen our security posture. We should definitely not sit idle and wait for that perfect solution to come to realization.