InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
This piece highlights the pros and cons of passwords for organizations, and best practices for composing passwords, and updating company policies and authentication processes to increase security.
Passwords are the simplest technology available to authenticate users when they sign into systems and applications, but they have pros and cons:
Universality: They work from every type of device where text input is possible, every kind of system and application that someone might want to sign into, and all users (unlike biometrics and some hardware devices).
Inexpensive: They require no special hardware or sensors.
To help mitigate the security vulnerabilities of passwords, organizations should consider:
Unfortunately, those password security requirements alone probably are not enough. Passwords can also be compromised by:
These challenges are why passwords are a weak form of authentication. It is difficult to get everything right, in all contexts.
REALTED CONTENT: Key Considerations for Password-less Authentication
To improve password security, it makes sense to add another factor. Authentication is any process where users prove that it is really them, rather than an impostor, logging in. This may be done by the user providing something they know, and others should
not know (a secret, such as a password or PIN), or some physical characteristic of the user being measured (biometrics) or users proving possession of a physical, personal device such as a hardware token, smart card or phone.
However, no method is perfect -- for any given biometric, some users cannot provide a sample (amputees, blind users, etc.). Biometrics also cannot be repudiated -- if malicious actors steal a user's biometric data, they may be able to inject that data
into a reader and impersonate the user. Hardware devices can be costly, may be lost or stolen and in some cases require readers. Because of these challenges, it is reasonable to offer a variety of authentication factors.
Unfortunately, multi-factor authentication (MFA) is both costly and complex. Many applications cannot directly support it and implementing such a system once per application is impractical. This is where federated access is helpful.
First, configure a single system to authenticate users with two or more credentials – typically a password or PIN combined with a smartphone app or biometric. Next, configure every application to outsource its authentication to this shared infrastructure.
This can be done using Kerberos for on-premises Windows-integrated applications, and Open ID Connect (OIDC) or SAMLv2 for web applications.
When credentials are combined, no single factor needs to be as secure. For example, sending a PIN to users via SMS is not very secure, but combining that with a password is often good enough. Similarly, a short, all-lowercase password is not very secure,
but when combined with a smartphone app, it may be sufficient.
Even if MFA is not deployed universally, consider making it mandatory at least for high-risk users.
Whether you deploy MFA or not, consider avoiding the following issues when formulating a strong password policy:
The number of possible passwords for a given policy can be computed as follows:
The table above demonstrates that longer passwords are more computationally expensive to guess than those that use more character classes.
Ideally, all systems where the policy will be implemented support passwords with mixed-case letters, digits and punctuation marks, and have large limits on password length (at least 20 characters are legal).
Your complexity rules then depend on how difficult you want it to be for an attacker who has managed to steal a copy of the hashed and salted password database to guess a password. A modern GPU can test about a billion possible passwords per second, so
if someone can steal the mainframe password database, it will be 100 percent cracked very quickly. On the other hand, a 10-character password with mixed-case and digits would take thousands of years to crack.
Consider the following requirements as a framework for a reasonable policy:
Many organizations implement a basic policy such as the above, and an even stronger policy (with longer passwords) for high-risk users, such as executive management, human resources or system administrators.
Because users inevitably do share or write down their passwords or may use the same password they have at work on many consumer-facing websites, some of which may have been compromised, it is reasonable to ask users to change their passwords periodically.
To help avoid issues associated with when and how passwords are changed, consider the following:
Ideally, your password policies make it easy for users to comply. With that in mind, consider:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.