Securing employee identities and passwords from potential attackers is the first line of defense in protecting companies from data breaches and ransomware attacks. Poor password practices are one of the leading causes of data breaches, according to Verizon’s 2022 Data Breach Investigations Report.
Additionally, the report states that over 80% of basic web application attack breaches can be attributed to stolen credentials. This highlights a long-standing problem with lost or stolen passwords. Given this issue, what can CISOs do to ensure their organization’s security?
Passwords are here to stay. Don’t believe all the hype about passwordless authentication. This push is reminiscent of the vision of a paperless office, which has been bandied about for almost 50 years. Paper remains an integral part of daily office work. While efforts are underway to replace the use of passwords, it will likely be decades before they are eliminated.
So, if passwords aren’t going away, what can be done to improve their creation? Checking possible passwords against a blacklist makes sense and can be done quickly and cheaply. New services are available to help, and the National Institute of Standards and Technology (NIST) requires such practices in its Digital Identity Guidelines (NIST 800-63B).
Identity and access management (IAM) is an issue not just for large enterprise organizations. Small and medium-sized businesses (SMBs) struggle with the friction that identity and access processes create, too. In an IDC identity and access management survey of SMBs, respondents cited “balancing security requirements and user experience for employees” and “balancing security requirements and user experience for customers” as two of their top IAM challenges. Unsurprisingly, they also cited “poor password hygiene/practices” as a challenge.
The death of the password has been prophesied for years, but it never quite seems to arrive. Passwords are unlikely to be replaced, at least in all applications and contexts, anytime soon. There are still too many legacy systems and applications designed for password-based authentication that cannot be updated.
When it comes to password policies, many firms have a problem. All of us like to think that we know how to set up a strong password, but in reality, common aspects of password policies have created more harm than good. To tackle these issues requires addressing some of the following root problems with today’s password creation and usage policies, starting with hardening password security:
» When it comes to choosing passwords, people should avoid pitfalls such as using personal information, predictable (e.g., sequential) keystroke patterns, and password variations and, most of all, reusing the same password for many different private and enterprise accounts. Other security issues include the fact that any eight-character password can be hacked through a brute-force attack in less than an hour, and stolen passwords are readily available for sale on the dark web.
People inherently hate change or being told what to do, even if there is a tangible benefit. Flossing is a great example. Daily flossing is recommended to maintain good dental hygiene, but less than one-third of U.S. adults floss daily. Being told to change passwords at arbitrary time intervals can also be annoying. Many people would prefer a “set it and forget it” approach, until there is a trigger incident.
» The rules surrounding the creation of passwords, such as using a mix of character types (i.e., at least one digit, uppercase and lowercase letters, and symbols), introduce unnecessary complexity, which makes remembering them hard. According to the NIST, analyses of breached password databases reveal that the benefit of such rules is not as significant as initially thought, although the impact on usability and memorability is severe.
To address the previously mentioned obstacles, NIST 800-63B states that users should be encouraged to make their passwords as lengthy as they want within reason, be able to use phrases and include space characters instead of complex passwords, and not have to change passwords arbitrarily. It also recommends that passwords chosen by users be compared with a blacklist of unacceptable choices. The list can include passwords from previous breaches, dictionary words, and specific words that users are likely to choose.
With passwords here to stay, the benefit of good cyberhygiene is self-evident: Secure passwords equal secure computers, networks, servers, and clouds as well as peace of mind for the IT staff and organization.
There are multiple tools and approaches that reduce the risk of password loss or compromise. Companies will need to weigh their costs in real dollars and in improved levels of employee and customer satisfaction against enhancing the password security layer. Common tools include:
» Password checking and monitoring. Passwords are checked to ensure that they comply with the rules set in place at the time of their creation. However, this ensures only that the password is safe at that instance. Validation at creation is not enough. If a password is compromised a minute, day, or week later, the user and company won’t know until a reported incident exposes this problem. Real-time monitoring of passwords against an active list of compromised passwords both at creation/reset and daily thereafter offers distinct advantages. It can prevent the selection of an unsafe password and immediately alert users and companies when a match is discovered. The follow-up actions could range from forcing a password reset to quarantining a user’s account. In addition, the policy of changing passwords at arbitrary times wouldn’t be needed; passwords are assumed to be safe until they show up as compromised.
» Multifactor authentication (MFA). MFA is an authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, like a password), possession (something only the user has, like a smartphone), and inherence (something only the user is, like a fingerprint). MFA is designed to dramatically reduce the number of successful compromised credential incidents. Usage rate and backward compatibility are a couple of issues with MFA. According to Microsoft, only 25% of its Azure Active Directory (AD) customers are currently using MFA; this leaves 75% potentially exposed. Many legacy applications and systems were never designed with MFA in mind and cannot implement it. Further, MFA does not replace passwords because the first factor is generally a username/password combination.
Password managers. A solution to harden the password layer, password managers are applications designed to store and manage online credentials (usernames and passwords) inside an encrypted vault that is locked behind a master password. Users don’t have to memorize all their passwords anymore. They also can auto-generate highly secure passwords. Some of these tools include password checking and monitoring as a feature. This security comes at a cost of around $24–40 per year per user. The price may not be too much of a deterrent for individuals or small businesses, but it could add up to a significant expense for medium-sized to large enterprises. There may be more cost-effective solutions available for enterprises.
IDC believes that hardening the password security layer requires a multistep approach. Multifactor authentication is one of the latest layers to be recommended, and a lot of energy has been spent promoting it. However, one of the factors used in MFA is a username/password combination. So, the right choice of a password is still very important. Passwords should be checked to ensure not only that they meet guidelines but also that they are uncompromised at the time of creation. Add real-time, continuous monitoring of passwords to send an alert or automate remediation if any have been detected as compromised, and you have a stronger security layer.
October 24, 2022 Published by The IDC Research, Inc.