Ugh. Passwords. The concept has been around as long as civilization itself. But are they the best way to protect account access in the digital age? How do you insure that people use “strong” passwords? What is a “strong” password, anyway? And when is a password – regardless of its strength – not enough?
The difficulty from an administrative perspective is that the restrictions we impose on our users in an attempt to force them to create strong passwords are often counterproductive. If the password must be at least 8 characters long, must contain both upper- and lower-case characters and at least one numeric and one “special” character, and cannot be a word that’s in the dictionary and must be changed every 90 days and cannot be a password that you’ve used before, you’ve almost guaranteed that it’s going to be written down somewhere because it will be nearly impossible to remember.
So what’s an admin to do? Well, there are some guidelines that we can give users to help them create strong passwords that are easy to remember.
As Mark Burnett pointed out several years ago in a Symantec blog post a totally random password from a password generator is not necessarily the best password. In his words, “While they may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm.” He suggests, as an example of a password that is just as strong, but much easier to remember, the password “Makeit20@password.com”. It uses upper- and lower-case letters, two numbers, and two symbols, but is much easier to remember. It can also be typed very quickly. And it’s 20 characters long.
Why is password length important? Ever hear of a rainbow table? It’s a table of precomputed hash values. These days, most directory systems do not store a database of passwords in clear text. Instead, they store the hashed value of the passwords in the database. Rainbow tables, which are readily available on the Internet these days, can considerably shorten the time required to hack a password if you can obtain the hashed value, compared to the time required for a brute force attack or a dictionary attack. And here’s the thing: for backward compatibility reasons, many Windows systems still retain the old-style LanManager (LM) hash values, which are relatively easy to crack. Even with passwords up to 14 characters in length, LM hash values will be computed in two chunks of 7 characters each. However, if the password is 15 characters or longer – and Windows now supports passwords up to 127 characters in length – Windows simply stores a constant value (that basically equates to a null password) as the LM hash regardless of what the password actually is…so any attempts to crack the hash will fail.
Note that there are other ways to prevent the storage of an LM hash value: It’s possible to disable it via Group Policy, and it’s possible to disable it by manually editing the Registry (which is not for the faint of heart). But simply using a password that is at least 15 characters long is the easiest way to do it.
And now that Windows supports passwords up to 127 characters in length, it is possible to use a passphrase rather than just a password. For example, “Muster the Rohirrim!” (one of my favorite phrases from Tolkien’s The Two Towers) is a 20-character passphrase than contains upper and lower case letters, two space characters, and an exclamation point. Substituting a zero for the letter “o” and a 1 for the first letter “i” (“Muster the R0h1rrim!”) would make it even stronger. And, if you’re a Tolkien fan, it would be quite easy to remember. Computer Weekly suggests other approaches such as taking the first letter from each word of a memorable sentence or song lyric (replacing them with numbers or symbols where possible), or combining two non-related words.
There are, however, situations where a password may not be enough. For example, a global admin account would be a good candidate for multi-factor authentication (“MFA”), and these days, there are a variety of MFA approaches to choose from:
- Hardware tokens, as typified by the pioneer in this space, RSA’s SecurID key fob tokens.
- Software tokens that run on a PC or mobile device, and must be unlocked by the user’s PIN before generating a one-time passcode.
- Text messages sent to a user’s mobile device. Be aware, though, that some mobile operating systems will briefly display the first line or two of an incoming text message even if the device is locked, so a stolen device could be a security risk even if the thief can’t unlock it.EDIT 8-6-2018: Here’s another Computer Weekly article about a recent Reddit security breach that involved SMS MFA.
- Biometric authentication. However, as the Computer Weekly article linked above points out, under the GDPR regulations, biometric data in itself is highly sensitive, personally identifiable information, so you have to be very careful how it is stored and secured.
- One of the most unique approaches I’ve seen is from a company called SwivelSecure. It does not require any kind of token, nor access to a mobile device. Instead, it presents the user with a randomized array of digits, and if the user’s PIN happens to be, e.g., “1938,” the user would key in (or click on) the first, ninth, third, and eighth digit in the array, in that order. This could be a good choice if you don’t want your users to be dependent on a separate physical authentication device, or they need to authenticate from locations where there may be poor cell phone reception.
Some security vendors today even support context sensitive authentication, such that attempts to access more sensitive information, or attempts to log on from an unusual location, or at an unusual time, will require stronger authentication. For example, if you normally access your company’s Citrix infrastructure from your home office during the hours of 8 am – 5pm Monday through Friday, and there is an attempt to authenticate with your credentials from an Internet café in Hong Kong at 2 am on a Saturday morning, a stronger level of authentication might be required (or the connection might simply be denied).
Love them or hate them, passwords aren’t going away any time soon. But there are ways to protect your organization against the risk of uses with weak passwords. Hopefully, this article has given you some ideas. We’d love to continue the conversation if you’d like to give us a call.