If you’re human, you’ve probably re-used a password or two. In fact, the majority of internet users between the ages of 18-65 have done so, and the younger you are, the more likely it is that you use just one password for all of your accounts.
Article written by: Chris LaConte, Chief Strategy Officer for SpyCloud
We all know it’s bad, and most internet users probably understand how to make a strong password: it should contain random letters, numbers and characters, be at least 16 characters in length, and most importantly, be unique.
But why don’t users create unique, secure passwords for all their accounts? That’s because, as the National Institute of Standards and Technology (NIST) acknowledged since releasing their new guidelines for identity management last year, the emphasis around complexity in creating _passwords ignores the reality of having to continuously _manage many passwords.
The average internet user has about 200 accounts online, so it’s hard to put too much blame on users who opt for uniformity across all their passwords. Similarly, it’s difficult to place too much blame with companies who followed best practices for forcing complexity into user passwords but can’t control user apathy.
Unfortunately, while the new identity management guidelines from NIST offer an excellent roadmap for a password security course correction, there haven’t been major across-the-board changes in password requirements, security checks or user password habits.
It’s time that companies stopped resisting change and started leading employees and customers towards more secure and manageable password habits. Understanding how threat actors operate can help us take simple, preventative measures that keep attackers out of protected accounts.
Don’t Let Them Guess It
True to form, the webcomic XKCD aptly depicts the reality of account takeovers (and much of all hacking, really) as simple, human curiosity – “will this key open this lock?”
It’s reasonable to assume that someone, somewhere has pointed an account checker tool at any given website and plugged in known email addresses with similar passwords, or passwords that contain the name of the website. Maybe they tried “123456,” “abcd1234,” or “password” — the all-time leaders in bad passwords.
Passwords shouldn’t be the same as usernames, shouldn’t contain the site or associated service name, and shouldn’t be sequential, simple or just a regular word. We know that threat actors have the tools to very quickly check all of these types of passwords to see if they’ll open the door to a user account, and these tools can also try variants to defeat the oh-so-clever exclamation point users maybe added to passwords in 2016.
To prevent users from creating easy-to-guess passwords, companies should create or download lists of the most commonly used passwords as comparison tools. Reject proposed passwords that have matches in those dictionaries, or those that use simple patterns or the website or service name (or variants thereof, like using “PapaJohn1” to protect your pizza account). Even better, check to make sure your users are not selecting passwords that were included in a 3rd party data breach. As mentioned above, most users continue to use the same password across multiple sites, and if compromised somewhere else, those passwords puts your company (and users’ accounts) at risk.
Don’t Let Them Crack It
Simple passwords present another problem – they help threat actors who have a few more resources to more quickly crack encryption algorithms.
It’s an unfortunate truth that some of the world’s most popular online services use outdated and insecure encryption types to “protect” passwords. These encryption algorithms will stop low-level attackers who gain database access from reading user passwords, but they’re likely to look like a fun puzzle to more skilled threat actors.
In addition to using dictionaries to prevent users from setting repetitive, simple or otherwise easy-to-guess passwords, companies need to understand the limitations of their hashing algorithms and prompt users to develop complex strings of numbers and letters or, better yet, pass-phrases that offer a similar level of complexity but are easier to remember.
As described above, the tools threat actors use today take lists of commonly used passwords and can modify them with common variations. In practice, this means older hashing algorithms like MD5 – still a very popular encryption solution – can be cracked in seconds, even if users tack a string of numbers onto passwords or replace “o’s” with zeroes.
Helping users create longer and slightly more complex passwords is a good way to make brute-force password cracking harder, but using strong hashing algorithms like bcrypt makes brute-force cracking functionally exponentially more difficult. Coupled with a phrase-length password (NIST recommends 64 characters including symbols and spaces), bcrypt will take decades or even centuries to brute-force.
Don’t Just Hand Over the Key
The very best way to protect user accounts from takeover attacks is to make sure that passwords aren’t already compromised. Threat actors have access to billions of passwords that, over time, have been stolen from the Clearnet, compiled into “combolists” that match usernames with associated passwords, and sold on the relative cheap. Fortunately, white hats and security researchers also collect these passwords to keep track of credentials that are no longer secure.
NIST makes it very clear in their updated guidelines that checking proposed passwords against lists of known compromised credentials is an effective test of a password’s security. Moreover, companies that run these checks can help increase their customers’ and employees’ overall understanding of their individual security posture, and more secure users make a more secure network.
Lists of credentials known to be compromised are available for free, and even these static lists provide a level of certainty in password security that really can’t be matched with simple complexity controls.
However, static lists age, meaning regular updates by IT teams will be required. Purchasing access to continuously updated databases of known-stolen passwords is likely to be a better strategy in the long term. Manual additions to compromise checklists won’t be needed, IT teams can trust that new passwords _and _existing passwords will be regularly checked for compromise, and these services are often bundled with automated remediation tools to simplify alerts for employees or customers who need a password update.
Why it Matters
The reality of password reuse makes this last check particularly important for enterprises. Especially for apps that employees need every day, simple or reused passwords are the easiest way around “pesky” IT requirements for secure passwords, and it’s likely that enterprises have a reused password protecting at least one account on their network.
Unfortunately, employees’ tricks for working around IT requirements are also the easiest way for threat actors to find their way inside protected networks.
Tying NIST password security checks into corporate email directories can help ensure that employees aren’t re-using compromised passwords to protect business data and can simultaneously ensure that proposed passwords aren’t too simple, easy to guess, or just variations of an already-compromised password.
Combined with strong hashing algorithms, these simple and automatable measures are not only enough to prevent account takeovers — they should also be helpful reminders for users to practice better password hygiene and make account takeover attacks less effective for the less-skilled threat actors who generally carry them out.