By Urpo Kaila, Head of Security at CSC, Finland
The password is dead, we have been hearing this for a very long time.
‘You need to use keys, certificates, tokens, biometrics, or at least passphrases, but not passwords, they are history’, it was said. But here we go, in the age of digitalisation we still struggle with our passwords, with our lousy keys to physical doors, whilst in the US people still carry their paper checks to the post office.
Well then, how can one survive with passwords, or at least how can one avoid walking blindfolded toward the cliff edge? Let’s start with some basic and well known, but often forgotten best security practices. For authentication you need something you know (a secret), something you have (a cryptographic key for example) or something you are (as your fingerprint or your iris). The fastest and easiest way to set up authentication for a service is password based, but this comes with several caveats.
A password should be hard to guess, but easy to remember, and this is already a very difficult equation. Guessing passwords is a well-established activity that can be successfully automated if one can try many times with different passwords. When you know how long it takes to try out one password, you can easily calculate how long it would take you to try out all possible password combinations for certain password length and complexity requirements.
An eight-character password can be very easily guessed by trial and error. That would take, depending on password complexity and the computing power of the attacker, something between a fraction of a second to a couple of hours.
A twelve-character password with decent complexity is already hard to guess. Individuals with administrative and privileged accounts should have longer passwords because of greater risk. I would recommend 14 characters as a minimum. Others suggest yet longer passwords, but that comes with a price too, as they are harder to remember, and people tend to write them somewhere. There should be some mandatory complexity requirements too, you should include a combination of uppercase, lowercase, numbers and special characters. This is a well-established built-in feature in most authentication solutions.
Unfortunately, in the real world an intruder doesn’t need to try out all possible password combinations. There is an ample supply of long lists of leaked passwords that can be successfully used, as people often use the same or similar passwords. In most current systems, passwords are not – and they should not – stored as such, in plain text, but encrypted as password hashes. Unfortunately, there are also publicly available lists of password hashes with corresponding plain text passwords, so called rainbow tables, which can be used to compromise accounts with the help of leaked password hashes.
Bad news don’t stop here. There is a constant pressure to fool us to voluntarily disclose our passwords with fraudulent emails, web sites, phone calls, or with malicious code on our devices. Password length does not protect us against social engineering. Beware also of shady and free ‘password services’ available on the internet, do not submit your password or other credentials to such sites.
Security has a price, it can be measured as costs, but also as reduced usability. A good balance on security and usability should be decided according to risk management. You can use bad but easy to remember passwords on services with low risks for you, such as some consumer-based customer portals that are not connected to your credit card.
Never use the same password on your work or university account and other services you use. It would be gross negligence if your work account was to be compromised with your social media password. In instances of very low security needs you can use the same password on different sites or create some simple and easy to memorise password transformation rules, with a combination of constant and variable string. For example, www.example.com -> P1npaAmple, www. insample.com -> P1npmple, and so on. However, do not use dictionary words or top-100-worst-passwords, such as Password1!
Nevertheless, there is one exception on password security also for personal and private accounts. Protect your email account with a good password and multi-factor authentication, if possible, as access to your email is mostly also the tool for password recovery. An intruder with access to your email can change your passwords at will.
Most of us have more passwords than we can possible memorise. Use a reliable password manager on trusted devices protected with a good passphrase to store your passwords. I normally recommend open source solutions such as Keepass or KeepassXC.
I recommend not to store your important passwords in the password manager of your web browser, as the password hashes are stored in a public cloud and can be retrieved from your browser with just one function call should you visit a malicious site. Also, if any site still asks your pet name or mother maiden name, lie (!) and write up your lie in your password manager.
You can often hear snarky comments or sarcastic jokes on passwords. One of the best and a very clever one is the passphrase horse-battery-staple cartoon (https://xkcd.com/936/) on xkcd. [also referenced in the article by RENATER IT Security Engineer Guillaume Rousse “Some tips to secure your passwords“]
Unfortunately, many authentication systems do not support passphrases that include spaces. There is no single silver bullet to help make passwords both secure and easy to use. People tend to be anxious and worried about their accounts, then a natural reaction is to reduce the fear element with humour.
Can we move to multi-factor authentication with tools such as the lousy password? Yes, we can! Social media giants and consumer cloud providers have already achieved this in a way that doesn’t really affect usability. These providers allow users to add a new layer of authentication when logging in with a new web browser and then to authenticate themselves over the phone too. This is very good, we should also deploy a similar mechanism on our infrastructures, open-source tools are available for this purpose.
For system and service administrators and other privileged accounts with access to sensitive data the risks are higher. Security controls for authentication should be based on layered defence with trusted network and devices, multi-factor authentication and good governance on identity management. Security for sensitive data must be ensured and mandatory. At CSC we are constantly grilled during our ISO 27001 security audits on how we ensure access security.
The challenges to deploy key or token-based authentication have been mostly related to logistics, not usability. For SSH sessions, for example, key based authentication is much more convenient than using password and is also adopted almost by all professional users. Here one must also require proper key lengths. Do not use 1K keys, 4K is the current best practice.
In security the biggest challenges do not stem from security procedures, but from everything else! If we have issues with identity management, change management, IT management, or you-name-it management, we have a security problem. If you want to be liked and loved by all, do not plan a career in security. In some cases, you must make the rules mandatory for all despite protests. Minimum requirements for password complexity is one of such rules. The security of your data is as strong as the weakest part of your security. For some other requirements, such as the minimum time for password periodic change you should use your own good judgement. Good governance and organisation-wide security awareness is the foundation for good security and good passwords too.
About the Author
Urpo Kaila (CISSP, CISM, GCIH, GCED, CIPP-E) is a seasoned Head of Security at CSC – IT Center for Science Ltd. Urpo has handled many incidents of many types and managed a lot of crises. He is also a member of the steering committees of SIG-ISM and WISE.
Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020