The CISO of a major university recently asked me about safe password use and best practices. We're talking here...
about ordinary user access to applications with low levels of criticality -- think student access to school emails -- as distinct from sysadmin access or access to highly sensitive applications.
Specifically, this CISO wanted to know:
- Should passwords for students, staff and administration be automatically generated by the system or set by the users?
- Should users be required to conform to specific formats (that is, be required to include numbers as well as letters, avoid English words, and so on)?
- Should the system force changes every so often? If so, how often?
These are the very same questions that many of my enterprise clients ask me.
Now, we all know what the answers to the questions are -- or we think we do: Safe passwords are ones that are longer than a certain number of digits (typically 8 to 10), and should contain a hodgepodge of letters, numbers and other non-alphanumeric characters (such as #, @, !, %). Machine-generated passwords are more secure than ones that users set for themselves. And systems should force password changes as often as possible.
So the answer to those questions ought to be easy.
The catch is, the higher you raise the bar on password setting the more work it is for users. And the perception of "not being an enabler to business" is one of the greatest challenges that infosec organizations need to overcome.
Main password risks
In an era in which security needs to accelerate user productivity, rather than hamper it, CISOs should be asking themselves which of these constraints are truly necessary.
To answer that question, it helps to start by thinking about the risks you're attempting to mitigate by requiring safe passwords in the first place.
Generally speaking, there are three main risks:
1. Automated password cracking. This is an attack by an online system to "guess" a password, and it is the reason we mandate specific password formats, such as including numbers, letters and non-alphanumeric characters, because they make such attacks more computationally intensive, and therefore more difficult.
For example, if you require a 10-digit password that includes numbers, upper- and lower-case letters and non-alphanumeric characters, my back-of-the-envelope calculation is that each digit has 138 possible alternatives: 26 upper-case letters plus 26 lower-case letters plus 24 possible numbers or characters. So a brute-force computation would require 138 to the tenth power (138 x 138 x138, and so on, ten times) number of guesses. That's around ten to the 24th -- or several thousand billion guesses.
I could be wrong -- I punched in the numbers rapidly on a calculator -- but regardless, it's a really big number, way too big for even a sophisticated system to easily compute.
Of course, most attacks are more sophisticated. The so-called "dictionary attack" involves recognizing that very often, letters combine to form words, so it's easier to try to guess entire words -- hence the prohibition against using actual words in passwords. Even so, the fact remains: Automatic password guessing is computationally intensive.
2. Automated password capture. End-user devices (including phones and tablets as well as laptops) can become infected with keystroke grabbers. And unencrypted networks are vulnerable to network taps. This is usually the kind of attack that happens at ATMs.
3. "Over the shoulder" (or "Post-it") password capture. This is when one person gets hold of another person's password by old-fashioned physical spying. In fact, as TechTarget noted recently, password sharing poses a huge risk in the enterprise.
Which of these risks should most concern an enterprise? By and large, it's number three. Although many enterprises worry most about risk number one (targeted attacks), the reality is that most hackers aren't going to train high-powered attacks on guessing a random employee's password. There are far richer targets out there -- if you're going to invest 10 to the 24th computational cycles to capture a password, why focus on a random user? Why not go for the keys to the kingdom and capture the email administrator's password, which could provide access to all the passwords and data on the email server?
As for risk number two, although it's a problem, it's not one you can fix by strengthening passwords. If your network or device is being tapped, you could require 300-character passwords written in Klingon, and the hacker would still obtain them.
Coping with risk number three
I recently read an online advice column in which a commenter remarked, "If you've been with your boyfriend for a while, you already know his phone password, because you've seen him type it in." Yikes! But she's probably right. And in open office spaces and corporate common areas, it's pathetically easy to capture a password by spying -- and if users leave passwords in Post-its in work areas, it's easier still.
Ironically, making passwords too complex actually increases the risk that something like this will happen. If you can't remember your password, you have to write it down -- and if it's written down, it's likely to be exposed, particularly in a communal work environment. That's the major risk of machine-generated passwords.
More effective password risk management
So what's the right answer? I asked my colleague and Nemertes' CIO John Burke, who, among his other accomplishments, also dealt with this exact issue in his role as an IT professional at a major university. He advocates taking a middle-of-the road approach.
Specifically, Burke makes the following recommendations for making passwords more secure:
- Let users set their own passwords -- thus ensuring they're more likely to be memorable, and less likely to be written down or left lying around.
- Force changes on a regular basis -- monthly is ideal -- and limit the ability to re-use passwords. Both of these steps reduce the lifespan of a password, regardless of how it's stolen. Most software-as-a-service providers, including Salesforce and Microsoft, force regular changes and limit the frequency of password reuse.
- Require a relatively long string of digits -- eight to 10 -- and require a mix of numbers and characters. On the other hand, Burke thinks requiring non-alphanumeric characters is probably going too far. But it is wise to eschew English-language words.
But Burke's most interesting advice on safe password use has to do with user awareness and training. He recommends that security professionals take the opportunity to teach users how to set a system for building passwords. That way, a user can create strong, memorable passwords and not be afraid of changing them.
One system he has relied on is to take the lyrics of an obscure song that he happens to know by heart, then select the first letter of the first three words, followed by three numbers, followed by the first letter of the next three words, and so on. The next password can be based on the second letter of the first three words, and the numbers incremented by one, and so on.
There are obviously endless permutations of such an approach -- I have my own featuring a nonsense phrase -- but the point is for users to create their own system that can be relied on to generate a regular stream of strong yet memorable passwords.
Training for safe password use
Password-system training should be a part of every employee's security training. Password training should make sure users understand both the risks they're protecting against and how to put in place a system for generating passwords. In other words, it's not about teaching them a rote definition of a "good" password, but rather explaining the whys and the hows.
How to make this training effective? A lot depends on the corporate culture, and the training programs that are already in place. But in general, humor and interactivity goes a long way. For instance, imagine an animated video clip that makes an interactive game out of setting systems, and rewards a "good" system with points. That's, of course, in addition to automated capabilities already mentioned above, like forcing passwords to be replaced periodically.
The best ways to break bad password habits
Password reuse and sharing are prevalent, survey finds
Learn other ways to turn employees into security enforcers