If there is one thing every internet user probably shares, it’s a frustration with passwords. Originally invented as an optional way to keep computer accounts private, passwords have become the default authentication method, the keys to our online worlds—and constant sources of misery.
Perhaps less well-understood, though, is the fact that, according to the 2016 Q3 Forrester Wave, password-related issues are also the most common attack vector in cyberbreaches.
Ajay Banga, the CEO of MasterCard, said it best when speaking on a cybersecurity and consumer protection panel at the White House Cybersecurity summit in February 2015: “Stop making us remember things in order to prove who we are.”
Passwords in the Enterprise
In the context of the enterprise, passwords are particularly problematic—a scaled-up version of individual password issues. According to the Verizon Data Breach Report (DBIR) of 2017, 81 percent of all breaches involve weak or stolen passwords.
Consequently, is particularly surprising that—also per the DBIR—most CIOs and CISOs have very little visibility into their overall “password posture,” which constitutes more than three-quarters of their breach risk. Several critical password-related problems exist in the enterprise.
Default and Weak Passwords
Many users never change an administrative password, resulting in a default-password situation which makes them easy targets. Weak and easy-to-guess passwords are also in widespread use across many critical servers and applications in enterprises of all sizes. According to a 2017 study by Dimensional Research—and more than a decade of personal experience in the security market—even privileged and important users, such as system administrators or C-level executives, use weak passwords.
Some CISOs and CIOs try to address this problem with strong and difficult to enforce password policies, but even those can’t address the more problematic issue of password reuse, which frequently extends to platforms and accounts beyond the security team’s control.
Password reuse—the idea that a LinkedIn password is the same as a corporate one—is quite commonplace, driven by both the inability to remember numerous passwords and the ignorance of reuse’s inherent dangers. But even if enterprises can avoid weak and reused passwords, a corollary danger lurks.
Another problem in the enterprise is passwords in-the-clear. Even companies that have adhered to every best practice possible in developing of their passwords can have their efforts negated without proper handling on an ongoing basis. Organizations—many of which use legacy protocols such as rsh, telnet and http—leave passwords among their traffic that flows in the clear. If such traffic is intercepted, these passwords might as well be defaults because they are wide open to be used for unauthorized access.
A related problem occurs when user passwords are stored by servers and desktop applications—either unencrypted or incorrectly encrypted. While unfortunately common, this obviously bad application design stems from the flawed assumption that an application server won’t ever be breached. In reality, individual computer systems are breached frequently, and the incorrect storage of keys and passwords allows for an attack to propagate across systems and become a major problem.
What Should CISOs and CIOs Do?
Before anything can be improved, it must be measured objectively. Enterprises must employ a tool that can comprehensively measure password posture and risk: weak and default passwords, password reuse and passwords-in-the clear. This measurement must be continuous to enable security personnel to track the change posture metrics as mitigations are added.
To improve password hygiene, enterprises have two main friends: enterprise password managers and multi-factor authentication (MFA). Both add friction to the business but are usable at scale and are acceptable as a mitigation method, especially when compared to other draconian security tools some organizations use.
The use of an enterprise password manager will enable users to have strong and unique passwords for all accounts without having to remember them. Passwords for systems that do not allow multiple users can also be properly shared. The usability of password managers has increased significantly in recent years. The concept is similar to a physical keyring: useful to everyone.
Additionally, when properly implemented, MFA can add a major speed bump in an adversary’s progress. Again, think soft tokens such as Google’s Authenticator App, not hard tokens such as the RSA keys. It is important to get provisioning, backup and recovery right. Think about the challenges users experience when they lose or upgrade their phone. If costs are a concern, use business risk to prioritize what critical applications you want to protect with MFA first, and which ones can wait.