InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
This piece highlights the pros and cons of passwords for organizations, and best practices for composing passwords, and updating company policies and authentication processes to increase security.
Passwords are the simplest technology available to authenticate users when they sign into systems and applications, but they have pros and cons:
Universality: They work from every type of device where text input is possible, every kind of system and application that someone might want to sign into, and all users (unlike biometrics and some hardware devices).
Inexpensive: They require no special hardware or sensors.
To help mitigate the security vulnerabilities of passwords, organizations should consider:
Unfortunately, those password security requirements alone probably are not enough. Passwords can also be compromised by:
These challenges are why passwords are a weak form of authentication. It is difficult to get everything right, in all contexts.
REALTED CONTENT: Key Considerations for Password-less Authentication
To improve password security, it makes sense to add another factor. Authentication is any process where users prove that it is really them, rather than an impostor, logging in. This may be done by the user providing something they know, and others should
not know (a secret, such as a password or PIN), or some physical characteristic of the user being measured (biometrics) or users proving possession of a physical, personal device such as a hardware token, smart card or phone.
However, no method is perfect -- for any given biometric, some users cannot provide a sample (amputees, blind users, etc.). Biometrics also cannot be repudiated -- if malicious actors steal a user's biometric data, they may be able to inject that data
into a reader and impersonate the user. Hardware devices can be costly, may be lost or stolen and in some cases require readers. Because of these challenges, it is reasonable to offer a variety of authentication factors.
Unfortunately, multi-factor authentication (MFA) is both costly and complex. Many applications cannot directly support it and implementing such a system once per application is impractical. This is where federated access is helpful.
First, configure a single system to authenticate users with two or more credentials – typically a password or PIN combined with a smartphone app or biometric. Next, configure every application to outsource its authentication to this shared infrastructure.
This can be done using Kerberos for on-premises Windows-integrated applications, and Open ID Connect (OIDC) or SAMLv2 for web applications.
When credentials are combined, no single factor needs to be as secure. For example, sending a PIN to users via SMS is not very secure, but combining that with a password is often good enough. Similarly, a short, all-lowercase password is not very secure,
but when combined with a smartphone app, it may be sufficient.
Even if MFA is not deployed universally, consider making it mandatory at least for high-risk users.
Whether you deploy MFA or not, consider avoiding the following issues when formulating a strong password policy:
The number of possible passwords for a given policy can be computed as follows:
The table above demonstrates that longer passwords are more computationally expensive to guess than those that use more character classes.
Ideally, all systems where the policy will be implemented support passwords with mixed-case letters, digits and punctuation marks, and have large limits on password length (at least 20 characters are legal).
Your complexity rules then depend on how difficult you want it to be for an attacker who has managed to steal a copy of the hashed and salted password database to guess a password. A modern GPU can test about a billion possible passwords per second, so
if someone can steal the mainframe password database, it will be 100 percent cracked very quickly. On the other hand, a 10-character password with mixed-case and digits would take thousands of years to crack.
Consider the following requirements as a framework for a reasonable policy:
Many organizations implement a basic policy such as the above, and an even stronger policy (with longer passwords) for high-risk users, such as executive management, human resources or system administrators.
Because users inevitably do share or write down their passwords or may use the same password they have at work on many consumer-facing websites, some of which may have been compromised, it is reasonable to ask users to change their passwords periodically.
To help avoid issues associated with when and how passwords are changed, consider the following:
Ideally, your password policies make it easy for users to comply. With that in mind, consider:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 30, 2022
By IANS Faculty
Understand how zero-click attacks work and find best practices to help detect and prevent common zero-click techniques from harming your organization.
June 28, 2022
Find guidance on how to create meaningful security metrics and KPIs for measuring risk improvement across a variety of security areas, including vulnerability management, product security and more.
June 23, 2022
Gain an understanding of the latest insider data exfiltration threats, motivations and methods. Learn best practices for insider threat detection and data exfiltration prevention to protect your organization.