Password authentication is not the problem. Password management is.
Network complexity increases the risks of a data breach by expanding the attack surface. In the previous article, “Authentication: Cybersecurity’s First Line of Defense,” I discussed many of the different and new security responsibilities facing IT system administrators. Despite all the vulnerabilities complex networks cause, when a data breach occurs, the news media often starts by blaming passwords. Passwords make for an easy scapegoat because people understand password security. They don’t understand non-encrypted data files, non-salted hashed files or VPN split tunneling.
When a password does contribute to a breach, investigators eventually discover that hackers simply took advantage of employee-managed passwords, insecure password data files or insecure network configurations. These attacks have nothing to do with the viability of passwords for authentication.
When a chief information security officer (CISO) allows employees to manage their passwords, they have inadvertently relinquished their entire network security to their employees. That’s because it only takes one weak password, one wrong click of the mouse, or one sticky note to take down the entire network. When a hacker successfully acquires a login password, the system cannot differentiate the hacker from the employee. All the system can do is verify that “someone or something” knew the correct password, and then the system lets whatever pass through the virtual front door.
Why start with password management? Managing passwords is frustrating and often very inconvenient for employees. The hurdles the password policies put them through are ridiculous. Password policies like:
- Longer is better: Eight characters are the minimum, but 12 or higher is better
- Avoid words and patterns like 123456, letmein, starwars, qwerty, etc.
- Use a mixture of characters (uppercase, lowercase, numbers and symbols)
- Don’t use the same password for multiple sites
- Don’t share passwords with colleagues
- Don’t write passwords on notes or store then in a spreadsheet file
These are all good points … if you’re in the 1980s and wanting to implement security on your Commodore 64 computer with no internet! These tips do not work today. Especially when the typical employee has 120 different account passwords to manage. These useless policy rules often lead to even more security issues by lulling IT into a false sense of security. IT thinks employees are following good password hygiene. They’re not. That’s because IT insists on a 12-character password while employees implement convenience. Employees write their 12-character password down on a sticky note for everyone to see.
Employees are not bad people who are out to defeat cybersecurity. Far from it. Because of staffing cutbacks, most employees today are working harder than ever. They have more responsibilities and more stress than before. Managing an average 120 passwords while trying to follow complex password rules can become so cumbersome that employees use shortcuts to stay productive.
Why current password policies are failing
So, if it’s not the fault of passwords and it’s not the fault of the employee, where is the fault? The answer: password implementation.
Theory-based password policies look great on paper, especially when they mimic industry best theoretical security practices from National Institute of Standards and Technology (NIST) papers. Theory-based password security makes a company compliant with government regulation, but that does not mean they are secure. What regulations often don’t consider is usability, also known as “the human factor.” When security is inconvenient to use, end users will circumvent security for convenience. Convenience without security is neither convenient, nor secure.
Here are the 10 most common criticisms levied against passwords by users:
- Passwords are too long and difficult to type
- Passwords include different cases, numbers and special characters I have to remember
- Passwords don’t use words that I can remember
- I can’t relate to the password; it’s gibberish
- I can’t reduce my frustrations by using the same password on multiple sites
- I constantly change passwords so I never can remember them
- I have to write passwords on notes or store them in smartphones, computer files, etc. just to manage them all
- I don’t know if someone is looking over my shoulder as I type passwords
- I have to worry about malware programs that capture passwords as I type them
- I need to share passwords so others can help me with my work
Think about it. Are any of these complaints actually against the viability of password authentication? No, these criticisms are burdens employees face managing a security policy, while still doing their work.
How to start securing passwords
IT managers cannot prevent a breach when they rely on weak authentication. They can’t stop a breach when a legitimate username and password is submitted. And, they can’t stop a breach when employees pick easy-to-crack passwords because anything else is inconvenient.
Authenticated access requires a security framework. A password security framework must consist of three key areas:
- Password Authentication— Establishing trust of a person’s identity
- Password Management— Managing the security of password policies
- Password Integration— Securing computers, networks and applications
When this framework is implemented successfully, making passwords secure is not only possible, but passwords become very effective, cost-efficient and user-friendly, which contributes to a robust security network.
Be sure to check out my next article, “Killing Passwords Won’t Help or Secure Networks.”
Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).
What a great and informative piece! I think the three simple keys that make up a secure password framework are 100X more efficient and practical in making sure an agency is secure and protected.