ITSecure Advisory - P@$5w0rds!

Back to ITS Updates

This article was originally published in the Fall 2018 edition of the ITS Innovations Newsletter as part of insights and reflection from the Information Security Officer. 

A necessary burden

Let’s face it, we all know how we truly feel about usernames and passwords. These credentials have become a necessary burden in our digital lives. They serve as proof when we are required to validate our identity to the many systems and websites we’ve come to depend on — everything from logging into our computers, to checking our e-mail and shopping online. These services require us to provide something we know, otherwise known as a memorized secret. We commonly refer to these secrets as passwords and begrudgingly welcome them into our digital lives. But these memorized secrets have been around for a while. In fact, your ATM or credit card Personal Identification Number (PIN) is yet another form of a memorized secret — albeit, one that is easier to memorize since they are limited to numbers with a common length of four to six digits. But as our reliance on technologies continues to increase, so does the burden of having to remember all these secrets.

To further safeguard these secrets, we made passwords more complex in order to thwart an attacker from easily guessing them. For this reason, you will often come across a similar statement when creating a new account: “Your password must be at least 10 characters with a combination of each of the following — uppercase, lowercase, numerals, special character.” Admittedly, it’s not easy keeping track of all these secrets, especially ones that you can’t share or speak of. But relief is on the horizon as the National Institute for Standards and Technology (NIST) recently updated their recommended best practices for memorized secrets, a.k.a. P@sswords!

What we've learned from a decade of passwords

Based on the results of several studies, NIST has concluded what we have intuitively known for quite some time now — people have a difficult time memorizing passwords, especially wacky and complex ones that only a machine could understand. Our human minds have a tendency to create the simplest password that satisfies those complexity requirements (e.g., Colgate13!) and because of the adage “if it works, don’t fix it,” we simply reuse that password over and over again across various other systems and websites. Perhaps you came up with a really good password? Studies have also found that people tended to write down or electronically record these really good passwords.

While adversary tactics and techniques evolve, so does our understanding of best practices for passwords. In the past, judging the acceptability of a password based on its complexity and length was once regarded as the gold standard, as such complexities guarded against password cracking attacks. However, this added complexity (i.e., entropy) no longer mitigates modern day cyber attack vectors. Instead, this added complexity will severely impact a person’s ability to remember the actual secret, resulting in workarounds such as password reuse or simply writing or storing the passwords in an insecure manner (e.g., sticky notes or a document in your computer).

Latest threats and attacks

Modern day cyber attacks now focus on exploiting human tendencies and behaviors. Rather than attempting to crack the actual password, attackers lure victims into inadvertently disclosing their passwords and account information through phishing e-mails. Once an attacker obtains your password, they can attempt to gain further access to other websites and accounts by exploiting our human tendency to reuse passwords.

The issue of password reuse expands further once we consider how passwords are chosen. Analysis of previously compromised passwords (~500 million) from various websites and companies has shown that people tend to create passwords based on social and culture references. In other words, there is a good chance that the password you create is not actually unique, and someone else probably came up with the same password (e.g., Colgate13! or StarWar$). Given all these human tendencies and behaviors toward passwords, an attacker can guess a “complex” password with relative ease.

This class of attacks is referred to as credential stuffing and the risk of password reuse can be further illustrated with this real-life example. In 2012, Dropbox suffered a data breach resulting in the loss of information for more than 60 million accounts. Years later, when details emerged in 2016, it was uncovered that the initial compromise was the result of a Dropbox employee reusing their company password for their personal LinkedIn social media account. After an attacker compromised LinkedIn earlier in 2012, the attacker pivoted and targeted Dropbox with the freshly pilfered credentials, resulting in significant financial and reputational damages. Although we don’t have to personally worry about thousands of passwords, there are important steps we can take to improve our security hygiene when it comes to managing passwords.

Newest security tools

A reputable password manager, such as LastPass, provides an acceptable balance between convenience and security. A reputable password manager will securely store all of your passwords in an encrypted vault which only you can access. One burden is lifted, as you no longer have to remember the password for every system or website. An added benefit of using a password manager is that you easily prevent password reuse by generating a unique password for every system or website through the use of its built-in random password generator. Passwords such as V8t$g$Kj*&E5jQu can readily be generated for each and every account. This provides the convenience of not having to memorize every password, while increasing your security hygiene by having random passwords generated. So instead of hundreds of “complex” passwords to remember, you only have one, which grants access to the secure vault. And although this may sound like putting all your eggs in one basket, utilizing a password manager actually creates a defensible position, to which additional protective layers can be added such as Multi-Factor Authentication (MFA).

Was this information useful? We're always adapting and changing, just like hackers. Please feel free to send us feedback. We'd love to hear from you and make Colgate more secure.