How to keep the keys to the kingdom from escaping the kingdom.
Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing:
ISO 27001 A9.4.2: Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
SOC 2 CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
Conventional password wisdom has served organizations well for many years, but as access to high-power computing increases rapidly, so does the ability to crack more passwords in less time. Requirements such as the eight-character minimum password length and inclusion of special characters in your password have already begun to fail us.
For example, we decided to analyze rockyou.txt, a popular list of cracked passwords that was released after a December 2009 breach. Of 14,344,392 passwords in the password list, 116,247 (.81%) contained an exclamation point somewhere in the password. Of these passwords, 93,272 (80.24%) contained an exclamation point at the end.
People are predictable and will usually try to find a shortcut or pattern to follow, which is why the overwhelming majority of exclamation points in passwords show up at the end. Password crackers understand the shortcuts users take when creating passwords and can use this knowledge to refine their cracking efforts.
A revamp of password-based authentication in an organization must consist of the following components at a minimum in order to truly strengthen the organization: multi-factor authentication, password management software and the elimination of weak or compromised passwords.
Enforce Multi-factor Authentication
At its core, the principle of multi-factor authentication is based on a combination of three different factors:
- Something you know (e.g. password, PIN)
- Something you have (e.g. RFID badge, your phone)
- Something you are (e.g. fingerprint, retina)
We are most familiar with the first in the list, something you know, in the form of a password. More commonly now you will see services recommending, and sometimes enforcing, multi-factor authentication. This is typically done by either a code sent via SMS text message or generated in a smartphone app. Some apps also support push notifications with options to approve or deny login attempts.
Implementing multi-factor authentication not only prevents a potential attacker from accessing an account, it effectively alerts the account owner that their password has been compromised.
Using Password Managers
A password manager works by storing all of a user’s passwords behind a singular, master password. By integrating with a web browser or a phone app, the password manager can autofill password fields. This saves the user from memorizing a long list of passwords and enables them to create much more complex ones that would take crackers years to crack.
The password manager can help with password generation since most can generate long, random passwords that don’t look dissimilar to the result of a cat walking across the keyboard.
Scanning for Weak and Previously Compromised Passwords
Several online services such as Have I Been Pwned, SpyCloud, and We Leak Info offer APIs for organizations or individuals to see if a password has been previously compromised. Alternatively, breached password lists (such as rockyou.txt, mentioned previously in this blog post) are available for download.
Implementing these APIs and password lists into a custom-built application, for example, would allow the application to run user passwords against a list of previously compromised and weak passwords. The application can then alert users if their password appears in the list and require them to generate a new one. Because these databases typically contain most simple passwords (e.g. 12345678, password), weak passwords and personal passwords that have previously been compromised will not be permitted.
Password cracking has evolved over the years, and as a result, we must shift our perspective on what password security means. If you are looking to make your organization’s password security more robust, implementing these three components will certainly make your organization more resistant to common password attacks.