There seems to have always been this debate on the use and actual benefit of passwords. How do we make them secure without being impossible to remember, and what is the best expiry plan?
Firstly, I would like to remind you, cyber security is the process of layering on controls: people, process, and policies.
Often I have been asked if/when I believe passwords will be done away with, my answer is simple; never. The truth behind the password is it’s just another layer to our overall security. Passwords are what we generate in the world where companies are continuously breached and in some situations aren’t legally required to notify you. So why not take that tiny bit of the control back and design a secure password?
When you get that notice “..your password expires in 5 days.” instead of feeling anxious or aggravated, let’s simplify what exactly a secure password is, so you can design yours with confidence.
Whilst it’s important to make sure your password isn’t guessable, is it really effective to substitute letters for numbers? “Hackers” can be anyone from the antisocial youth living in their parents basement to your colleague who is kind, has a family, and really gives no reason to suspect otherwise. As humans, we tend to follow similar patterns, and something you may feel is distinctly unique likely isn’t.
When looking at creating a secure password, stop and use a sentence as your password (or passphrase). “A positive memory from your past that won’t change. And remember that you can use SPACE between each word in most systems,” says Per Thorsheim, founder of PasswordsCon. Not only are passphrases easier to remember and often complex, but they’re also going to be longer, which is where the true security lies.
Dean Kelshall, Senior Manager at Baringa, thinks the following:
“The reasons humans fail at passwords is that we need so so many of them. One for hotmail, one for gmail, one for work, one for Facebook… the list continues ad infinitum. So we cheat (easy passwords, repeat passwords, increment the last digit) and we therefore become a weak link. Make passwords more memorable, longer, and change less, and we will all be better off.”
Dean believes that “..a factor which is becoming more important in passwords is memorability.” Compare “seti9waiWE9w3£0%” to “Today I went to the (85th) Castle with Elliot”, which would be easier to remember for you?
Still don’t believe us? Take it from the original source: Bill Burr, the man behind the original 2003 password guidance, who admitted he was wrong. (Source https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118)
Expires in 30 days
Many organisations have the password rotation policy of 30 days, requiring users to change passwords each month to something new. How many users have entered their old password with a “1” or “!” in place? Does this policy actually work?
Per told me a story once of a company years ago that had quite an intense password change policy. This company required users to change passwords every 30 days, however, it kept the last 24 passwords. This means that if $userA set a password in January this year, they wouldn’t be able to reuse the same password until 2019. From a management point of view, that may sound brilliant, but Per tells of one user that changed their password 25 times every password change, just so they could reuse their preferred one forever. If you think that’s slightly excessive, think of all the users who’s only change was to append “!” or numbers onto their original.
Take back control
Passwords may seem overly complicated and to you, they may not seem important.
Here’s the thing, if you look at it from the hacker’s point of view, unless multi-factor authentication is implemented, all that’s standing in the way of a malicious actor knowing almost every aspect of your life is solving one password. With that in mind, the previously annoying password may start to look a lot more valuable
About the Author: Zoë Rose is a Cisco Champion and Splunk architect. She helps clients secure their network infrastructure from data loss and cyber-attack. In addition to specializing in network security, Zoë also supports ethical hacking, incident response engagements, advice on best practice software development, and secure systems architecture.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
This is a Security Bloggers Network syndicated blog post. Read the original at: The State of Security 2017-10-05.