Passwords are essentially the keys to your kingdom. Behind every password is the treasure store of information that is meant to be kept away from the prying public eye. These are the keys to your stakeholder and client data. Furthermore, obtaining unauthorized access could allow unauthorized administrative access to a local system, VPN access to company infrastructure, and much more. In short, they are an essential factor in any organization as a layer of protection for digital assets.

The Password Problem

The password problem is a mix of psychological factors and initial design problems. Regarding psychological factors, passwords that are more complex are harder to remember. Furthermore, the traditional design of passwords is flawed and is generally summarized by this statement: “choose a password you can’t remember and don’t write it down.” If a password is too simple, it lends itself to be easily guessed. If a password is too complex, it will create unhealthy habits such as writing it down or reusing the same password across multiple online services and platforms.

While there are technologies that can enforce stronger passwords, they don’t necessarily solve the problem. A standard “strong password policy” constitutes of 8 characters in length and includes at least one uppercase letter, one lowercase letter, special character, and numbers. The challenge with such a password complexity policy is that “Welcome1!” will likely meet the requirements. In organizations where there is a 3-month password cycle lends itself to passwords aligned to seasons such as “Spring2018!”, “Summer2018!”, and “Fall 2018!”.

Another problem that is often seen with frequent password change policies is that it forces a user to exhaust their list of favourite passwords. This pattern shows that in time they eventually return their original password. Another pattern that has been seen in the 1.4 billion passwords in plaintext that was leaked to the public in 2017 was that users often increment their passwords. A password like “julian02” may become “julian03” at the next password change. It is recommended to have a longer password (10-12 characters) and a less frequent password change policy that aligns with a 4-6 month cycle.

The New Trend on Password Expiration

There has been a recent shift against password complexity and password expiration that has left some members of the information security community in controversy. According to the standards listed out in SP 800-63B Section 5.1.1.2, it lists out policies for longer and more complex passwords as well as indicating that “verifiers should not require memorized secrets to be changed [periodically].” The only reasons that merit a password change would be evidence of compromise.

At Packetlabs, we recommend against the use of indefinite passwords because the point of a password lifetime is to reduce exposure. This is the same thing we do with SSL certificates which have a max validity period of 1 year. If a colleague knows another colleagues password (should be a violation of security policy/standards) there should be compensating controls to reduce the time in which this password can be used. Alternatively, if a password is captured or compromised through a hack, the attacker may have unrestricted access to the environment while the employee is with your organization.

Another part of this trend encourages users to set up very long passwords by using passphrases. An additional challenge you’ll face with long static passwords is that if users reuse that password on multiple sites (e.g., LinkedIn, Gmail, Ebay) is that this will require constant effort for your team to monitor third-party breaches (more importantly those which include clear-text or poorly protected credentials). Without having an expiration, an organization runs the risk of having a password being effective years after a third-party breach.

Avoid Using Common Passphrases

Using common passphrases make long passwords just as useless as a common password. If the organization has a high-security maturity level, and you can ensure that they will not make use of common passphrases (e.g. “once upon a time”) then long passphrases may be the direction to take. However, one may need a technology solution to better enforce the randomness of words selected. With a passphrase, you can push the duration out based on the length of the password, but you want to reduce the exposure for compromised credentials. Verizon’s Data Breach report in 2018 attributes password compromise to a significant percentage of breaches given they can be stolen via asking nicely on a phone call, memory scrapers (malware), phishing, third-party breaches, and several other vectors.

Whichever direction you and your organization take, we recommend adding on a second factor for authentication to mitigate password reuse. You can learn more about that here.

To learn more about choosing the right strategy for strengthening your organization’s password policy, please reach out to us to see how our penetration testing services can assist you.