Passwords. The favorite topics of security pundits. This fundamental component of security is one of our favorite things to talk about, hypothesize about, and much like the mainframe – proclaim its demise. Sadly, at the rate we’re going passwords (much like roaches) will be around long after many of us have retired and moved on. So there you have it, passwords are the cockroaches of the security industry. If you’re tired of changing your passwords using complex formulas you’ll never remember and have found yourself wondering just what your corporate security team is thinking, this post is for you.
There is a reason we in security try to enforce strong passwords. In 2012 (mind you, that was several generations of hardware and software advances ago) if you could manage to use a mix of only upper and lower case letters, your password would have to be at least 10 characters to be effectively ‘secure.’ According to this post, nine characters took four days, while 10 characters took a whopping 169 days. Again, remind yourself that this is four-and-a-half years later. Things have advanced a lot, and time has not been good to our friend the password.
So, OK, it’s clear complex passwords are important. And it’s clear that much like your socks, we must change our passwords with some regularity to ensure that if they are compromised, they are no longer useful. And let’s face it, if your password has never been compromised then you’ve simply not been paying attention. So many online sites have been compromised and their passwords (plain-text or otherwise) published in caches all over the Internet that everyone is bound to have been hit at least once.
But now we have password policies that state things like you must have at least 10 characters with letters (upper and lower case), numbers and special characters. There are characters that are excluded, presumably because they were deemed a ‘security hazard’ by the developers or security folks. There are time restrictions like forced resets every 30 days. Sometimes there is a lower (minimum of eight characters) and upper (maximum of 12 characters) bound to password lengths which makes us wonder. Some websites won’t let you paste your password in, you have to type it. Of course that makes sense unless your password is a randomly generated one, like “ASDFKJhsdfg9ss9dfisdfh#(*&*(H” in which case, good luck. All of this leads to behavioral changes – but more on that in a minute.
Now we have multi-factor authentication requirements which change regularly, SMS messages and selfies – all insecure depending on whom you ask. Many of these are simply called out as insecure without really offering up something better for which the security community is quickly becoming famous. One day you’re being sent a token, then it’s an SMS to your phone, or some of your providers are now testing out selfies. Hey, why not.
OK, now back to the behaviors comment I made a little earlier. Rather than thinking about the validity of cracking any one password or complexity, let’s start to ask ourselves what behaviors these recommendations and requirements are driving. I can tell you for a fact that without a password manager nearly everyone I know re-uses passwords. Otherwise you have dozens if not hundreds of passwords you need to try and remember. Obviously that won’t work. So one person I know whom is in IT (not security) has developed a method. Write down all your passwords, the important ones anyway and put it on a note card in their wallet. This is what it’s come down to. And yet, when things go wrong we’re blaming the end-user for their poor password habits. Clearly, few of those who blame the user look at the password policies that drove that behavior.
So, the problem to solve: rather than trying to figure out how complex you can make password requirements before your users revolt is how to maintain good authentication hygiene while driving healthy behaviors from your users. Can we re-start the conversation around passwords with that lens, please? Rather than yet another article or rant on how people re-use passwords and get hacked, how about we look inward at how we can change behaviors in our users to discourage and minimize this behavior. Look … we’re going to be living with passwords for a very, very long time whether you want to admit it or not. Let’s address the root cause of the problems we’re seeing and start being seen as leaders.