Strong+Passwords

Password Advice

By Ian Nice - November 25th, 2018 Posted in Advice

From terrible to simple and secure.

Over my 20 year career in IT Security, I have worked with many technical solutions designed to replace passwords for authentication. Unfortunately none of these have been able to solve their inherent usability, convenience or complexity challenges, which has I think held back wide adoption and means that password problems remain.

However, technology isn’t fully to blame, there has been a problem with the advice provided to users on how to set good passwords and I think we made it impossible for a user to properly follow the advice.

Thankfully the advice has changed, and now the NCSC and ICO have published a number of very simple guides on how users can protect themselves from the majority of password related problems. This article and comic outline the problem with the advice from the last 20 years, and what we should all be doing now.

Password advice from ten years ago….

catroon#1

It is no wonder that corporate password rules and advice have been ignored. I know from seeing the problems caused by breached accounts that users have had to work around the rules by using incremental passwords, using simple password schemes and by reusing passwords across systems on an industrial scale. National Cyber Security Centre (NCSC) comment in their three random words blog post:

using ‘Pa55word!’ may follow the rules of a website, but is a bad password as it’s quite guessable. Typically if a cyber-criminal has the hashes to attack they will break them whatever rules are put in place.

We have also seen exponential growth in the use of cloud services, which means that some users have 100s of different accounts, sometimes on services they don’t even remember setting up.

Password problems are rife, and we see companies having unauthorised corporate account access, social media take over and targeted extortion emails on a daily basis.

cartoon#2

It’s 2018, and passwords are still the biggest threat to IT security for the majority of organisations. It’s not just me saying that, in the 2018 Data Breach Investigation Report, Verizon comment that:

given all the vulnerabilities out there, credential attacks are still the number one means the attackers attempt to get all up in your servers

Threat Status Trillion breach service was set up to provide customers with actionable intelligence relating to breached and stolen credentials. The problem of stolen credentials is so large that Verizon exclude some of the attacks caused by stolen credentials from their Data Breach Investigation Report executive summary statistics:

These are legitimate breaches, but due to the sheer number of them (over 43,000 successful accesses via stolen credentials), they would drown out everything else

Now the advice for passwords has been simplified greatly, and there are some excellent articles from the NCSC and ICO for organisations and users on how they should set their password policies and help their users to protect their accounts.

cartoon#3

Password manager – give users access to a password manager, which allows them to create a random, complex and different password for every online service they use. There are lots of types of password manager, and my next article will discuss the different types and how to select the right one.

Random work passphrases – Where a user has to set a password and commit it to memory (for example the master password for a password safe) then use three random words which can easily be remembered. These provide more entropy and are harder to crack that the majority of passwords generated from the 2008 advice shown in the comic above.

User multi factor authentication – Most online services support multi factor authentication, and I recommend they are used even if they do affect user experience. If users really object then at least set up MFA on critical accounts, including email (as this is often used for password reset services for other online accounts). In a future article I will discuss options that prevent having to set up tens of different MFA credentials on your phone.

Articles:

Threat Status 7,960

Breached Databases Analysed

Threat Status 4,540,717,237

Exposed Records Found