James Thew - Fotolia

Get started Bring yourself up to speed with our introductory content.

Breaking bad password habits in the enterprise

A bad password brings unnecessary risk into organizations, but how bad are they really? Expert Randall Gamby assesses just how dire the situation is.

In discussions on authentication and the technologies available, people invariably compare authentication technology to the weak and feeble password. So are passwords the root of all evil in the world of authentication? The quick answer is, "no." Just as cars alone don't cause car accidents, passwords don't cause accounts to be victimized. In both cases, the issues arise due to a lack of education and bad practices in the proper use and handling of each of these. Passwords -- when used properly -- can be as secure as any other authentication technology, but because passwords have to be remembered, following strong password rules can be hard for a lot of people.

Bad habits that make bad passwords

Recently security consultant Mark Burnett released 10 million passwords and usernames, stating his sole motivation for releasing the data was to advance what's already known about the way people choose passcodes. While this was a legally questionable action to take since these were real examples from leaked user accounts, his point should be well taken. People don't always make the best choices when selecting passwords. Many times the passwords selected are top-of-mind selections that are easy to remember for the individual. Content may include birthdates, children's names, pet's names, number sequences like parts of a Social Security number or tax identifier, and other easily guessed words from a person's life.

It doesn't help the security of a person's password when this information can be found freely posted on social media sites like Twitter, Instagram and other public-facing sites. To compound the issue, many times people use the same password on numerous sites, which means once the password is derived, it can be maliciously used to access many or all the sites the user has accounts with.

How do bad passwords effect organizations?

Most organization password policies need to be updated to require stronger password constructs. The standard eight characters, upper and lowercase password policy instituted by most organizations needs to change.

The issue of bad passwords has been focused on individuals, but organizations should be wary as well. An organization is likely composed of many people using bad password practices. They not only use bad practices in their personal life, they most likely are bringing these practices into work, and thus the organization is at risk of exposure from easy-to-guess passwords. In fact, some of the sites using bad passwords are work-related sites. That means, for example, the easy-to-guess password the messaging administrator uses on his or her Facebook account may be protecting the privileged account on the organizations Exchange server.

In the recent past, most information breaches that affect organizations start with a "beachhead" established by the attacker or malicious organization using a privileged account that has been compromised, most likely from a poor password construct used by the administrator.

How can organizations protect themselves against bad passwords?

Most organization password policies need to be updated to require stronger password constructs. The standard eight characters, upper and lowercase password policy instituted by most organizations needs to change. On the Internet, passwords and hashed password values have been documented into what are commonly called rainbow tables. These tables are used by malcontents to derive passwords from stolen credential files and contain all the permutations of password values, starting with A, then AA, then AAA and so on for passwords as large as 12 characters in length. That means if a hacker captures a system's encrypted password file, he could easily look up the password value of any accounts that used passwords of 12 characters or fewer -- well within compliance of the organization's password policy.

It's important for organizations to stress the importance of lengthier passphrases, passwords that incorporate sentence structures instead of single word associations. For example, a 12-character password like "BostonRedSox" could be lengthened to "!L0v3the8ost0nR3dSoxs" and still be fairly easy to remember. In addition to providing a complex 21-character password, the password construct contains character replacements --3 instead of E, and 8 instead of B, for example -- to make it even harder to guess. While IT security professionals understand how to construct such passphrases, other workers will need to be trained.

It's also invaluable to do periodic best password practices training for the workforce. Reminders to not reuse personal passwords in the office, use passphrases and ensure that passwords are different for each business application are important messages to get across.

Despite the focus on passwords, there are other technologies that use techniques inherently stronger than passwords, but are more costly or require architectural changes to the organization's applications and/or authentication technologies. Use of two-factor authentication or multifactor authentication for privileged and high-value applications is becoming more commonplace. While passwords are still king, these newcomers are becoming less expensive and new applications are now allowing the option of using strong authentication in place of default password account security.


Is there value in having access to Mr. Burnett's file he released to the Internet? Yes. Since an organization's password files are encrypted, a possible verification of whether the workers are following strong password practices is to audit the password files vs. known rainbow tables and other password files like Mr. Burnett's to see how many positive hits are found. If the number is more than trivial, it may be a clear indication that additional worker training is necessary and also flagged as a potential security risk to the organization. Remember, just like cars on a road, passwords can be dangerous to the organization, but only when used in the wrong way.

About the author:
Randall Gamby is an Identity and Access Management (IAM) professional with over 25 years of IAM experience. He is currently the IAM strategist for a Fortune 500 company. Prior to this position he was a Master Security Consultant, a state Information Security officer and the enterprise security architect for an insurance and finance company. His experience also includes many years as an analyst for the Burton Group's Security and Risk Management Services group. His coverage areas included: secure messaging, security infrastructure, identity and access management, security policies and procedures, credential services and regulatory compliance.

Next Steps

Reports show an increase in password reuse and password sharing in enterprises.

Learn how to build complex passwords and avoid easy breaches.

Find out why password security issues show case for privileged identity management.

This was last published in May 2015

Dig Deeper on Password management and policy