Good password hygiene is part of any individual’s basic InfoSec. Whether at home or at work, it is imperative to manage your passwords / credentials to the many places we rely on each day.
Data is more and more valuable. Yet the passwords we use haven’t kept pace. So what are people to do? Why is the messaging around good password usage so mixed?
All Your Creds Belong To Us
The password dumps just get bigger and bigger. This summer the largest dump of passwords ever was found. Over 10 billion (yes, with a B) were dumped. I don’t know how much is noise (or old passwords) but that’s a lot of credentials to try running through online banking, email accounts, and social media.
Mixed Messaging on Passwords
Recently, NIST proposed a befuddling set of password guidance. Anytime I see something labeled as “common sense” I get the feeling that these are not deep thoughts. The full proposal is here – you can read it and tell me what it says because I haven’t. That’s an awfully long document to detail common sense. Can’t this be simpler?
Efforts like this muddy the waters and cause confusion among people who try to manage all their logins for all their online services. To be sure, there are some good ideas here. Specifically I’ll pull out 3 to comment on.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Taking them on in order:
- The first point I disagree with both because if people choose weak passwords we would want them to change them more frequently while if people choose strong generated passwords we still need a turnover over time. I think there’s a happy medium between changing your password every 45 days and never. Is it really too much to change a password every 6-12 months?
- The second point is good – no arguments here.
- Secret questions bother me because they lull the user into thinking they can actually enter what is being asked. What’s the point of generating a strong 18 character password (upper, lower, number, special characters, not used in last 3 passwords, no series of repeating characters) when an attacked just has to say “I forgot my password” and plug in your mothers maiden name?
While the intent is good, the messaging is poor.
MFA To The Rescue
Multi-factor authentication is a great thing and you should use it is possible. However; some articles may confuse people by over-simplifying the situation. Take these two articles:
The first point I’ll make about article #1 is:
Because here’s the thing: When it comes to composition and length, your password (mostly) doesn’t matter.
Ok, that’s not helpful. MFA is a good thing but only in tandem with strong passwords. The principle of “something you know” plus “something you have” or “something you are” (think biometrics) help keep you safe and secure. It’s not true or helpful to tell people that their passwords don’t really matter and that MFA is magic pixie dust.
Yes, authenticators are vulnerable. MITM is a thing as is SIM-swapping. But all this just confused people who choose lousy passwords because they hear all this unnecessary complexity and say “forget it! I’ll just come up with a password I could memorize drunk and use that for everything I can about as a default”. Think that doesn’t happen? Go back and look at the billions of leaked passwords and search for what the most common passwords are. Spoiler: you’re gonna see a lot of “p@ssword” type credentials.
Brute Force is More Brutal Than You Think
Simple passwords are easy to crack. Many common passwords used today can be cracked in short order simply by brute force.
Kaspersky does solid security research and has a great AV program. Sadly it won’t be around for US customers but that’s for another blog post. In this post, they spell out how the brute force calculations make it rather easy with modern hardware to crack weak passwords.
A few big takeaways are:
- Dictionary words are a lot easier to crack
- Most passwords are not long enough
- Most passwords lack the diversity of characters (alpha-numeric-symbols)
At the end they point out the obvious:
The best passwords are random computer-generated passwords.
Conclusion
Use a password manager. Please! They work, are easy and convenient to use, offer much greater security for your credentials, and are cheap. Just this one simple act will make your InfoSec posture so much stronger. It is the low hanging fruit that I implore you to pick.
But if that doesn’t do anything for you – have a South Park clip – just replace the money and banking with your password and data breach.
Thanks for reading!
You Might Also Like