Why is Authentication Such a Problem?
IT Professionals are continuously frustrated by the fact that so many security incidents still stem from the seemingly simple issue of poor passwords. But is that really such a simple issue? Maybe not. If you unpack the reasons behind the persistent use of “Password123”, you’ll find at its heart high expectations for ease of use, coupled with exaggerated faith in the security of the technology. This is at odds with security professionals’ recognition that technology alone cannot protect our data. A strong firewall has to include the personal accountability of the humans using the technology.
The media is partially assisting the IT industry in bridging those conflicting perceptions by demonstrating daily the risks of poor security practices. As security professionals it is now our job to ensure that rather than having users throw up their hands in despair at the onslaught of breach stories, they instead see a clear path to simple actions they can take to combat the threat. Use of strong authentication is perhaps the most critical of these steps.
What is Authentication?
Authentication is the process for ensuring that authorized users have access to the information they need and preventing unauthorized users from gaining access to information they should not have. Authentication means verifying that someone is who they claim to be. Authorizing access by confirming someone’s identity is generally based on at least one of these three pieces of information:
|What you know||What you have||Who you are|
|What is it? Login and Password or PIN.|
Security Implications: Can be risky because it can be shared, stolen or broken by brute force attacks (programs that repeatedly try new character combinations until they stumble across one that works).
|What is it? A physical device that generates one-time use passwords or codes that are required to log in, in addition to a password or PIN. Can be a card, chip, dongle or app on a smartphone. |
Security Implications: Increases security by requiring a second type of authentication. Device can be forgotten at home or stolen.
|What is it? Biometric information like a fingerprint, voice or retinal scan.|
Security Implications: Extremely secure option because everyone has unique biometric markers. Biometric data is always available and never forgotten at home. Most expensive type of system and can cause privacy concerns from users who do not want their biometric data saved.
The most common authentication method is What you know, which relies on credentials, or a login and a password. The login is often given to you (at work) or you use your email address. However, the password is usually left up to the user. And that’s where one large risk lies.
Why Is Password Management So Important and Yet So Difficult?
Automated tools are great for business. However, most businesses require multiple systems to capture all relevant information and keep everything organized. This means employees must work with multiple systems every day, just to do their jobs. Not to mention all the personal accounts and passwords a person likely has. Ideally, changing authentication systems could remove the need for passwords, but many organizations are stuck with legacy systems that only include a password option for authentication.
Best practice dictates that each system should have its own long and complex password, with no similarities or repetition. But let’s be realistic about this. We are human, with bad habits, busy schedules and work-arounds that we use to stay sane. Memorizing and reusing only one password is a common work-around for people who have too many things to remember. If forced to create and use more than one password, we rely on passwords that are easy to craft and easy to remember . . . and easy to crack as well. So ease-of-use and the need to remember too much are two starting points of poor password management.
What is Poor Password Management?
Poor password management refers to a combination of password-related decisions or tactics that put accounts at risk. This includes things like:
- Using overly simple, short, guessable or default passwords
- Saving passwords insecurely (e.g., written notes, spreadsheets – especially when stored on a company network or online, saved to browser, saved on unlocked devices)
- Reusing the same password on multiple accounts
- Sharing passwords
- Never changing passwords, even after a data breach or known compromise
- Entering passwords while on insecure networks like public wifi
Effects of Poor Password Management
Human nature is to follow the path of least resistance. We understand why people make these mistakes. Reusing simple passwords that are easy to remember makes technology manageable for non-technical users. But we also know that poor password management puts sensitive information at risk. Passwords are currently the main means we use to protect sensitive information about ourselves, employees, and organization. Poor password management opens the door to that data, meaning people are at risk of financial theft, identity theft, physical risk, and corporate espionage, just to name a few.
Think of your passwords as the keys to your digital life. Just like handing over your keys to a gang of thieves invites them to steal your mail, your car or possessions from you home, allowing hackers an easy opportunity to steal your data invites them to steal your money, identity, personal records, business and reputation. And depending on how you lock your home, it may also invite them to invade your and your family’s physical security as well.
Passwords Are Risky
Current statistics show that in the working world, passwords are the most used and least expensive but also least secure authentication option. Password reuse is common, despite organizational efforts to stop the practice. And even password sharing occurs at least sometimes.
- Passwords are reused an average of 5 times.
- 63% of companies prohibit employees from using the same password for different systems, yet 51% say they reuse their passwords for multiple accounts anyway.
- 69% of respondents admit to having shared a password with a colleague at least once.(1)
The obvious risk of sharing a password with a colleague is that unauthorized employees could gain access to private organizational information. But at least the unauthorized employee is a part of the company’s community, and odds are against the lapse creating an actual problem for the company. However, intentional data breaches over the past decade have exposed billions of passwords that are currently in use in systems all over the world. People who still use and reuse passwords from the password dictionary lists created from the breaches open their organizations up to much greater risks. These stolen credentials are used in over 70% of hacking breaches worldwide.(2) A Ponemon survey in 2018 found that, in the last year, 40% of responding companies had suffered an attack involving compromised employee passwords.(3)
What is Credential Stuffing?
One of the main reasons these hacks are so successful is because people reuse their passwords. A single-account password is only good for the one account where you use it. However, when passwords are reused, the likelihood greatly increases that a hacker with a list of a billion usernames and passwords gathered from a breach will come across your credentials in a password dictionary list. To find out, the hacker uses an automated tool to try the verified credentials. One computer can “stuff” the username/password pairs into a login page at a rate of about 30,000 attempts in a single hour. A success rate of 0.1%-2% means in a few weeks a team could end up with thousands of working accounts at their disposal. These statistics alone should be enough to convince you that password cracking is big business that is not going away any time soon.
Turning CyberSecurity Around
You know that cybersecurity is a problem, but do you know what to do to fix it? For many organizations, the first step is writing and enforcing a strong password management policy. In addition, there are a number of best practices, like user education, and using multi-factor authentication (MFA) and password managers, that can help users strengthen an organization’s human firewall.
Password Management Policies
Every company should have a comprehensive password management policy as part of their overall information security policy. It should be implemented across all impacted systems and should be shared and enforced among all end users. The policy should be discussed thoroughly and repeatedly so everyone understands the requirements and how to follow them. The best policies cover a minimum of topics such as password length and complexity requirements, password history and reuse, options to reset, change requirements and storage protocol.
Best Practices for Password Security
The National Institute of Standards and Technology (NIST), a U.S. government agency and technical leader, released updated guidelines for digital identity in 2017. They are published in the NIST Special Publication 800-63B: Digital Identity Guidelines, Authentication and Lifecycle Management. Much of the publication addresses technical recommendations for coding secure authentication and password storage systems. However, it also includes updated recommendations for creating secure passwords or PINs and authentication processes. These recommendations include:
- Requiring at least 8 characters and up to 64 characters, but no other complexity requirements
- Using a set of characters that is NOT on a blacklist of compromised or most commonly used passwords
- Using random words or concepts as passwords, rather than family names, addresses, meaningful dates, or other personal details
- Not allowing secret questions or hints to gain access to an account if the user has forgotten their password
- Only forcing a password change if there is evidence that the password has been compromised
Tactics for Writing Secure Passwords
So how does one write a secure but memorable password that is long enough but does not include any personal details? The most important factor is length. Each additional character makes cracking the password a more difficult task. After length is uniqueness. The two ways to gain someone’s password are to crack it or guess it. Using personal details for a password makes it much more guessable; so does using a dictionary word or published phrase. However, stringing together random words in an unfamiliar pattern, possibly including a number or special character, creates a unique code that only the user knows. Here are a few suggestions for increasing length and uniqueness:
- Combine words and numbers from a familiar room into a sentence.
- E.g., 8MugsandPlates1Cabinet
- Use homophones.
- E.g., Way2TooTwoWeigh
- Use the same sequence for numbers and special characters.
- E.g., Include 8787 and *&*&, which is 8787 while holding down the Shift key
- Truncate long, familiar words to create something familiar to you but hard to guess.
- E.g., If you were born in San Francisco, truncate it to Franci
- Choose words from favorite but old personal memories.
- E.g., 8yrsNewDogCampGrade2
- Choose words from a specific page in a favorite book
- E.g., From the first sentence of Pride and Predjudice, page 1 by Jane Austen: TruthManFortuneWife
- Mix and match techniques to create long memorable passwords.
- E.g., OldHouseFranci1875!*&%
Passwords are only one aspect of authentication. Multi-factor authentication means combining two or more authentication methods at a time – meaning pairing a password (What you know) with a one-time code (What you have) or biometric marker (Who you are) to your login. This tactic adds one more roadblock to anyone trying to access your account. MFA is especially helpful in reducing the effects of social engineering or eavesdropping theft of passwords.
The most widely available two-factor authentication is from an app that sends a code by email or text to a smartphone. In addition, adoption is increasing of cards and dongles that generate the one-use codes. Although not always available, if you have an MFA option with any account, you should use it.
If you’re going to require different complex passwords for each account, then it’s only fair to give users a tool to manage them. A study from the Carnegie Mellon Computer Science Department found that when users are annoyed by an organization’s password policy, they are 46% more likely to have weak passwords.(4) Thus, providing a tool to reduce annoyance and difficulty with complying is likely to improve password strength as well as user satisfaction. Unfortunately, only 22% of organizations currently require employees to use a password manager. Over half of respondents to two Ponemon surveys rely on human memory.(1, 3)
There are a number of strong password managers available now that make password management seamless and fairly easy. The advantage of using a password manager is that the user must only remember one long and strong password to open the tool. Then the tool remembers passwords for all the saved accounts. Most tools also have a password generator to help users craft strong passwords for every account. A password manager should be used for both professional and personal accounts to help users implement and keep track of unique passwords for each of their accounts rather than reusing the same password across the board. Most password managers also offer two-factor authentication for login or limit password storage to the local device to further secure such valuable data.
Finally, teaching users is a critical step for any organization trying to build their human firewall. Employees must understand why passwords can be insecure, what information they are protecting and why it is important. If not, they are much less likely to invest attention and effort in any solution. Additional topics that should be covered in security awareness and password management training include:
- Writing stronger passwords, or better yet, using a password generator.
- Using security tools like MFA and password managers.
- Following security best practices when using an insecure network like public WiFi.
Writing policies only goes so far. To increase system security, the system’s users must understand and follow the policies, use the tools and invest in building a secure organizational culture.
What about Passwordless Authentication?
Industry leaders are developing passwordless authentication systems, however their widespread adoption is still at least a decade away. Although the technology exists, much is still in the development stage and relies on multi-factor authentication rather than a completely passwordless solution. It will take time for user testing before viable stand-alone products will reliably work with legacy systems or organizations will be ready to invest in new compatible systems. Early adopters are paying top dollar for new technology, but initial pricing also likely outpaces the resources of most small and medium-sized businesses. Therefore, addressing password security is critical to securing our resources for at least the next 10-15 years.
What Can You Do?
The average individual today needs to remember passwords for dozens, if not hundreds, of personal and job-related online services — and this leads to taking shortcuts. But a nudge in the right direction can help change employee habits related to passwords. This short video on creating strong passwords uses statistics and facts to communicate the dangers of weak passwords. It helps get across the message about the importance of using strong passwords and the best practices for protecting them.
1 Ponemon Institute. (2019, January). The 2019 State of Password and Authentication Security Behaviors Report. Retrieved from https://www.yubico.com/wp-content/uploads/2019/01/Ponemon-Authentication-Report.pdf
2 Verizon Communications. (2019). 2019 Data Breach Investigations Report. Retrieved from https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
3 Ponemon Institute. (2018, November). 2018 State of Cybersecurity in Small & Medium Size Businesses. Retrieved from https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
4 Mazurek, M. L., Komanduri, S., et. al. (2013, Oct 22). Measuring Password Guessability for an Entire University. Retrieved from https://www.cylab.cmu.edu/_files/pdfs/tech_reports/CMUCyLab13013.pdf
1 Chapple, Mike. (2018, Feb 21). Is It Time To Reevaluate Password Policy Best Practices? Retrieved from https://fedtechmagazine.com/article/2018/02/its-time-question-longstanding-password-security-best-practices
2 Newman, Lily Hay. (2019, Feb 2). Hacker Lexicon: What is Credential Stuffing? Retrieved from https://www.wired.com/story/what-is-credential-stuffing/
3 Townsend, Kevin. (2019, May 8). New Product Protects SMBs From Credential Stuffing Attacks. Retrieved from https://www.securityweek.com/new-product-protects-smbs-credential-stuffing-attacks