Passwords remain the number one form of authentication, even though they can leave an organization vulnerable to attacks if appropriate cybersecurity measures are not in place. They’ve been around since the Internet was invented and are not likely to go away for years to come, despite the proliferation of ‘passwordless’ conversations generating some buzz.
Darren James is a Product Specialist and cyber security expert at Specops Software.
Currently, there are billions of passwords available on the Dark Web, aggregated through various attack methods from brute force to malware to phishing then used in password spraying and credential stuffing attacks. Such attacks are successful due to the fact that 65% of users reuse passwords, according to a 2019 Google study. So, it’s really not a surprise that stolen or compromised credentials are one of the leading root causes of malicious attacks. In fact, according to IBM’s 2020 Cost of a Data Breach report, one in five companies that suffered a malicious data breach was infiltrated due to stolen or compromised credentials.
Poor password hygiene: out in the wild
So, what does poor password hygiene mean? Essentially, these are the mistakes that leave the door wide open for attackers. And given that security is not top of mind for users, the onus falls on IT to ensure that they are enforcing password security with solutions that prevent users from:
- Reusing passwords, or more specifically, using compromised passwords
- Using very weak, easily guessable passwords such as, using the word password in their password or common keyboard patters like qwerty or even passwords that are related to the organization such as organization name, location and other common identifiers
- Changing passwords without changing the base word and adding sequential characters at the end (e.g. changing password1 to password).
Even large organizations get this wrong. For context, several major breaches can be traced back to compromised passwords as the source of entry, including:
- Marriott International: in 2020 attackers obtained the login credentials of two Marriott employees compromising a reservation system and ultimately exposing payment information, names, mailing addresses, phone numbers, email addresses and passport numbers of up to 500 million customers
- Uber: in 2016 an attacker gained access to Uber’s data storage through credential stuffing. The attacker leveraged an Uber employee’s previously compromised credentials for other websites to access their GitHub account ultimately exposing the data of 600,000 Uber drivers and 57 million Uber riders
- Home Depot: in 2014 attackers utilized stolen credentials of a 3rd party supplier to infect Home Depot’s network with malware that stole 40 million customers’ payment card data and email addresses
- Dropbox: in 2012 attackers were able to steal the email and passwords of over 70 million Dropbox users due to an employee reusing a password hacked from another website.
Poor password hygiene: why is this still a problem?
Poor password hygiene persists primarily because it is not being recognized as a problem or realized as a potential threat. For instance, a common misconception is that attackers typically target large organizations. In contrast, attackers do in fact target SMBs and have increasingly since the pandemic due to the accelerated adoption rate of online applications and remote technologies that can be prone to misconfiguration while lacking secure access policies. According to Verizon’s 2020 Data Breach Investigation report, SMBs experienced 417 incidents in 2020 with over half of those disclosing data.
Another misconception is that organizations feel secure when using two-factor authentication. Two-factor authentication is a security measure and not a fail-safe. Additionally, passwords are still the first factor as such, the password – should be as secure as possible.
With the majority of organizations globally utilizing Active Directory (AD), the perception that fine-grained password policy in AD is enough is common. However, it does not eliminate the use of compromised passwords or remove the use of weak password construction patterns. Another common feeling is that implementing and enforcing a robust password security policy will be complicated or create user friction.
Simplifying password security
It’s true that implementing a secure password policy can create user friction such as users forgetting their password because now they cannot use things like the word password or falling back to poor password construction patterns. Therefore, it’s important to take the user experience into account to ensure the best security and user outcomes. The solution: remove the burden from the users and use technology instead.
Many organizations turn to NIST for guidance on this front. NIST recommends:
- Setting a minimum password length of 8 characters to encourage the use of longer passwords
- Removing password expiration and complexity due to their contribution to poor password behavior
- Screening new passwords against a list of known leaked/compromised passwords
While recommendations provide a great starting point, it is essential to consider risk level. For instance, removing expiration guidelines can lead to a security gap as it takes organizations close to 300 days to identify a breach. So, if you’re not comfortable with removing expiry or are regulated by PCI or CMMC or any other standard that requires expiry and complexity, then you should look for technical solutions that can reduce the poor password hygiene issues these can create.
Things to keep in mind
When looking to implement a secure password policy, it’s important to consider the full password lifecycle from creation to reset/change. Therefore, solutions should:
- Eliminate the use of common password construction patterns
- Support user-oriented features such as passphrases (longer passwords that are memorable) and length-based password aging which rewards users with less frequent password expiration due to the length and strength of their password
- Continuously block the use of leaked passwords
- Enable users to reset their passwords with MFA from anywhere, using any device while providing clear password policy rule feedback to reduce multiple failed password change/reset attempts
- Work with existing settings you already use such as Group Policy
Passwords aren’t going away any time soon - organizations simply do not have the infrastructure to support a passwordless ecosystem. Thus, it’s important that all industry recommits to putting a progressive password security strategy in place.