The problem with passwords
Passwords are almost universally used as the primary means of authenticating the identity of a person for computer systems or applications. They may come in different forms — such as alphanumeric text, PIN digits, passphrases or “select A from B” systems — but they all share the same characteristics.
Read this report, "The problem with passwords," and explore how passwords provide a sense of security that can be highly misleading. Security professionals agree that although authentication by password alone is used the vast majority of the time across the Internet and in enterprises, more robust authentication systems provide better protection.
Authentication systems can have a significant impact on an organization’s operations. In a world where outsourcing is increasingly the norm, and where Software as a Service (SaaS) solutions, single sign-on and federated identities have become common, the service management issues of identity and authentication take on a more visible and critical significance. They also become external costs and therefore visible to the organisation.
As a global IT services provider, DXC has found that up to one-third of all service desk requests at peak periods may be the result of password-related issues. Over an 18-month period, 15% of service tickets are password related. There is no obvious correlation between the requests and the type of system being used, although having multiple systems can have an effect. In one extreme case, 60% of all service desk tickets arose from password resets, which could have been due to the combination of a 60-day password change policy and the existence of multiple authentication systems.
DXC has also found that technology solutions can cause unintended problems. Without careful planning and architecture for authentication systems, issues with synchronisation become visible and can cause account lockout. Automated password reset systems address the symptom rather than the problem. While automation reduces the number of service tickets (and the visible cost associated with them), users need to know what they are doing. Automated systems may not improve the speed of resolution, which can maintain, or perhaps worsen, the invisible cost impact.
The Company's View
Companies will want to address both the security of their environment and the cost to maintain that security. As with all things, this becomes a balance of cost versus risk. Three factors affect this balance:
- Password policy: complexity and frequency of change
- Multiple systems: number of passwords to remember
- Recovery process: accessibility and response time
An organization must balance these factors to achieve an acceptable level of risk versus the cost of maintaining the security level. Each organization will need to determine that balance point based on its own understanding of the risks and threats. DXC usually suggests that some strategic investment can provide a longterm improvement in risk, whilst simplifying the user experience and reducing the visible and invisible impact of password failure. When weighing these factors, bear in mind:
- Increased password complexity allows reduced change frequency.
- Multi-factor authentication reduces change frequency AND increases security.
- Single sign-on reduces complexity and password failure.
- Passwords on their own do not constitute sufficient security for many activities.
- Password recovery must be as secure as the asset the password is protecting.
The Attacker's View
Hackers are in a race to find vulnerabilities before defences can respond. Zero-day vulnerabilities that result in information breaches cost money to find, develop and exploit in practice. In a remote attack, there are many layers of defence between hackers and their targets. But if the attacker has access to passwords, those defences crumble very quickly — and, worse, the activity looks legitimate.
Systems can be further compromised to facilitate future use. As a result, much of attackers’ energy goes towards attempting to recover passwords. There are many ways they can do this, but the approaches fall into a small number of categories and attack vectors, each of which has a corresponding set of standard defences. The following table shows that password policies can be of limited use.
What’s notable is that password complexity and expiry controls do not have a significant impact against the attacker when one considers the number of attack routes that can be exploited. What is needed to properly defend against attacks on authentication is a variety of controls, including:
- Password controls
- Multi-factor authentication
- Anti-malware controls
- Privileged access controls
- User education
- Activity monitoring
- Effective monitoring of the environment
Effective use of these controls can reduce the importance of the classic password. This does not mean that password controls should not be used; but as passwords become less important, the risk is reduced, the user experience is improved and the cost of security to the business — in time lost and in IT requests — is also reduced.
Faced with a well-managed combination of the controls above, attackers have a much more difficult time exploiting a system. They must exploit vulnerabilities in the software rather than the people, which is more expensive and time consuming, and results in a reduced chance of a successful outcome.
Examining the mathematics, people and language
Passwords are strings of characters, and their strength is linked to their randomness, something measured by entropy. Password strength can be improved by increasing the number of characters in the set (e.g. letters plus numbers adds 10 options) or increasing the length of the password.
“Password” is commonly found to be the most common password in surveys or rainbow tables. Mathematically, in any given character set, “Password” is as strong as any other eight-character string — that is, it has equal probability of appearing in any random selection of eight characters from the set. But it illustrates a big problem.
People will choose passwords that they can a) remember and b) type easily. From a given character set, this means that people will normally tend towards using words in their own language and will further constrain the selection by choosing words that are meaningful to them. This quickly reduces the randomness (entropy) of the passwords chosen.
Find out how that entropy translates into security risks, and what organizations an do to strike the right balance with security and user acceptance. Read this report, "The Problem with P4$$WORDS!," to learn:
- Pitfalls of forcing symbol combinations and password changes
- Sensible password policies
- Privileged access control
- Generic and shared account management
- Multi-factor authentication
Contact us to learn more about identity and access management.