Password security has long been a thorn in the side
It's easy enough to understand why. Passwords are inconvenient from the perspective of users, which is why they tend to keep them as simple as possible, so they can remember them. On the other hand, IT Security staff keeps warning users that if they use passwords that are too simple, it's a trivial task for hackers to guess those passwords and breach the system.
That's why, despite periodic warnings, we still see passwords like "password," or "123456." That's why we see so many people still using birth dates and the names of pets, and unfortunately, there doesn't seem to be an easy fix for that.
Scope and scale of problem
To understand the scope and scale of the problem, the National Cyber Security Centre in the UK tracks password habits and has some bad news to report:
Even now, when almost everyone knows better, statistics indicate that some 15 percent of people use the names of their pets as passwords, and 14 percent use the name of a family member. 13 percent are prone to use birth dates or anniversaries, and 6 percent gravitate to their favorite sports team.
The big problem, of course, is the fact that even a moderately talented hacker who spends any time at all on social media can collect this information with ease. That means they can break into accounts where such things are used with equal ease.
In terms of current best practices, the National Cyber Security Centre recommends not using any of the above. Instead, create passwords based on the recommendations that follow:
1. Password usage
Experience with short passwords soon threw up a series of flaws for user implementation. In no particular order these included:
- using a 'standard' word such as boss, master, doall, passwd
- using a dictionary word or the name of the business
- using repeating letters or numerals (AAAAAA, 111111 and so on).
- Six characters were also found to be just about short enough for someone to watch and remember while the user typed them in.
To counter the users attempts to make their lives easier, password security systems were invented that changed passwords on a regular basis (say monthly, and even daily for critical passwords), compelled the new password to be different, and checked it against a list of previously used passwords. More sophisticated password security systems enforced rules requiring passwords to be structured using letters and digits in non-repeating patterns.
These approaches more or less forced users to break other security rules and write down their passwords - particularly if they had several to 'remember'. (I recall a 'classic' case where a user was being expected to remember more than 20 passwords, some of which were the only way to access encrypted documents. Naturally they did not listen to the ideas of regular change and remembering everything.)
There continues therefore to be a central dichotomy between those who want short passwords that are forever changing and those who want one password that a user can remember, but it cannot be short and memorable.
2. Password systems history
Early password security systems restricted user choice to upper case and numerals, thus giving the attacker a much-reduced space of attack (the permutations and combinations of valid input data). Later password security systems used upper and lower case, and this improved things a bit in terms of the number of attempts the attacker had to make before he could find it by 'brute force.
Later password security systems converted the password into a 'hash'or one way encrypted field so that it could not be readily reverse engineered by an attacker. Unfortunately the hashing systems were not necessarily very effective, and even when they were, the amount of space they give you is not that large and the attacker can choose any password that gives them a valid hash, not just the one the user selected.
Network systems and services, and the introduction of the PC as a networked device as well as a stand-alone computer, together created the idea that it must be possible to have infinite retries at getting the password right. The attacker was being given a massive advantage!
The Internet, built for resilience and information sharing, included the idea of an ID / password security, but did not provide encryption to protect the password and allowed infinite retries to get it right. As a result, passwords are usually transmitted unprotected, and may be sent with every page that needs access to a password protected area as well as allowing the attacker all the time the site is up to try and crack it.
3. Password potential routes forward
The biggest hurdle to overcome is the ability of a user to hit more than six consecutive keys reliably, given that they cannot 'see ' he results of what they are doing. Of course a user needs a bit of practice in order to get a longer password right. Constant change makes for bad typing. Using a much longer password, say 30 or so character positions, may not be guaranteed to generate what the cryptologists call entropy, but it has a good chance.
A long password should also be harder to crack with short dictionary attacks and more resistant to brute force attacks, because the time to create either the password or the hash becomes significant. This may have a lot to recommend itself. Long passwords are also resistant to being captured by others by mere observation because there is too much now for the attacker to remember, no matter how often then observe.
4. But how do you educate users into using passwords successfully?
The first thing to remember is that the length must be proportionate to the overall security requirement. If a 'three strikes and you're out' password security system combined with a token of almost any kind is in use you can live with a 4-digit PIN. If there are multiple password security systems then a single long password could be used as a system enabler for all services.
Choosing long passwords is not the daunting prospect that so destroys choosing short passwords. Natural language is now to be preferred since it must be memorable. But the expression of the natural language must be left to the capricious nature of the user.
By way of some examples of longer passwords, one could consider the following:
"Table!house*", "Knight(soil)" or "Dem0n**manager". Other examples that could work include, "1066andallthat", "Hangthe****donkey" or "Now-is-the-time-for-all-good-men". This last one is a quotation, but it's still hard to guess or attack These kinds of passwords are proof against any dictionary attack, and, provided they are not changed often, users are more likely to choose something difficult and unique. Another handy feature is that they are slightly harder to share with friends since there is so much more to remember.
5. Never forget the real purpose of password security
The password, as we use it today, is more often than not the 'secret' that unlocks systems capabilities or grants authorizations. In future services it will be used to authorize cryptographic secrets, most likely held in software, and then later in hardware. These 'keystores' may hold various secrets, perhaps even including other passwords that are transparent to the user.
Ultimately, the real purpose of a security system is to try and make the user's life easy while making the attacker's life difficult. Password security systems that ignore the user are going to fail with the very community they are supposed to serve.
Whenever users cannot manage the password security systems they are given, an advantage is being given to the attacker because they will exploit those aspects of the system first. Similarly, a poorly designed password security system will fail and will compromise the very users it is supposed to protect. Poor design is much harder to fix than bad coding or errors in implementation. And the use of commercial password managers doesn't fix that.
My perspective
It's excellent advice, and the next time you send another missive to your employees regarding password security, it's well worth sharing.
And you can hear Ben Obi-Wan Kenobi saying... "May the Force be with you"
By Denis Wilson
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide small business technology education programs.
Contact me if you would like me to speak to your association
