Fed up of passwords?

This post was written by Jack, one of our Cyber Security Consultants. 

Passwords are archaic

Humans have used passwords since ancient times: Polybius describes, in his writings, the use of a ‘watchword’ to identify allies during wartimes. This was fine when only humans could process these, but computers are a different beast and they are far better at it than we are.

Strong passwords are hard to remember

Passwords are hard to remember for humans; we aren’t designed for this complex task. Long term storage of information that has no relation to any real-world situation is nigh on impossible for us. Why don’t we leave this task to the computers?

In a situation where your password hash is compromised by a site you entrusted it to, an attacker may attempt to guess or ‘crack’ the password many millions of times per second. Last year, hashcat reported their latest update allowed them to compute 100GH/s, allowing for complete cracking of 8-character Microsoft NTLM wordspace in 2.5hrs.

Password Exclusivity (or uniqueness) can be even more important than complexity (although, not in the context of securing a single account). While both are important, often a breach of one user account may be contained (unless it happens to be a ‘cornerstone’ email account). Additionally, the breach of a single account is quite likely; online services are frequently breached and user credentials spilled publicly. Considering this, it is vital that no other accounts use this same credential pair.

If you would like to hear more on Exclusivity vs Complexity’, I’ve written another blog post on the topic, which can be found here.

‘Perfect’ password policy

  • Most system admins will recognise that the ‘perfect’ password policy involves the following aspects:
  • Employees will create strong, long, random, unique passwords for all company accounts
    • ‘Unique’ passwords are those not used anywhere else.
  • Employees will not share these with anyone.
  • Employees will not store these anywhere.

Where ‘perfect’ security involves having strong, complex, random passwords, people will either:

  • Break policy by
    • Writing the password somewhere
    • Reusing passwords
    • Using weaker passwords
  • Forget their passwords, requiring many resets, making it harder to remember each time, eventually resorting to option a).

Ethicality

Is it fair to ask your employees/colleagues to remember such passwords in length, and in such numeracy, when they must also remember the passwords the use in their personal life, which are far more important to them?

Asking them to do so at risk of their jobs is essentially asking them to take less care of passwords outside of work.

It is likely that they may reuse passwords used for their personal accounts in work, this may:

  • Increase risk of Account Takeover on company accounts due to loss of confidentiality in personal accounts,
  • Increase risk of Account Takeover on personal accounts due to loss of confidentiality in company accounts,
  • As above: break policy.

If you ask your employees to follow your password policy (a business-critical function) without providing them the tools to do so, you may as well be asking them to follow your heavy-lifting policy without providing them with sack-trucks or gloves. Additionally, in this analogy, they also have plenty of heavy lifting to do at home, but it’s likely that they’ll be too tired after work.

You’ve effectively shirked all responsibility for keeping your business secure, loading this weight on to your employee’s shoulders, a weight that is already present in their personal life, and are ready to crack down on them if they ever fail this impossible task.

Security Implications

Regardless of whether it is fair or ethical, knowing that people struggle to remember passwords like this, is it even safe for you to rely on them to do so?

Password resets reportedly cost a company around $70 each time an employee forgets one. Nobody enjoys making a bother of themselves asking IT to reset their password and so much time and productivity is lost during such an event that employees are likely to begin to simplify their password generation techniques, to the point where they will break company password policy.

The Solution

Give up on this antiquated system, reliant on our ability to recall complex, random strings of characters.

Where an employee must remember 3+ passwords to complete all work expected of them.

Password policies should:

  • Include a responsibility of the employer to ensure that the amount of number of credentials required for daily tasks will be kept to a minimum
  • Explicitly state how many credential pairs the employee will be expected to recall.
  • Note that where this requirement exceeds the bounds of acceptable limits employees will be supplied with password management software, an SSO solution and/or FIDO/MFA keys.