The authentication dilemma

I’ve worked with a lot of organisations over the years and seen lots of ways of doing certain things. Policy implementation is one of those! I’m in a fortunate position where I get to see different people’s policy documents, their systemic implementations and even interview staff to see how these work on the ground. So, I thought I’d write about password policies!

Humans like to be efficient and people also struggle to deal with the huge volume of identify management and authentication solutions they are presented with. Just think, how many passwords are required in everyday life?

Multiple 4-digit PIN codes for debit and credit cards etc.
Online banking sign in credentials (more PINS)
Gym padlock PIN combo (usually 4 characters)
Passwords for home computer
PIN code or password for mobile phone access
Passwords of phrases for telephone services e.g. to access your mobile phone account services
Social media credentials

The list goes on and on! Then let’s add in corporate IT services….

Anyone who’s worked in an office will have seen familiar sites of the following:

Password on post it notes
Password shared with colleagues
Password sellotaped to keyboard (either on top or underneath)
Passwords shouted across the office
Passwords written down on white boards

If you’ve ever worked in an IT role you will have also most likely have encountered the strength of passwords people use, or perhaps a request to reset a password to a specific easily guessable word! Now we should really ponder why at this point… but we’ll save that for later!

For now, let’s throw in the fact that data breaches are becoming more and more common (almost daily!) and a lot of these leverage common attack vectors such as:

Phishing
Brute force attacks
Unauthorised access by credential guessing

To combat the human efficiency condition and the emerging cyber threat landscape, some bright sparks decided to come up with a policy-based solution to this human efficiency trait…. I know let’s mandate that passwords should be strong. And by strong, we mean, not be easily guessable or easy to brute force!

(This began by people mandating minimum password length e.g no shorter than 8 characters , which might be something like “password”)

So back in the noughties the security world sang a tune about passwords needing to be complex and password policy statements were made which started to make passwords strong! (they weren’t). This coupled with the ever-increasing computing capabilities of technology meant password cracking was getting really really fast!

(so we upgraded from “password” to “Pa55w0rd1!”)

My Bad Password Policy

So, the world’s leading minds went off to engineer a scientific solution which ensured that passwords would be even stronger! To enforce this new solution, organisations created complex rules to add to their password policy documents!

We set out on our ‘bad-password-policy-creation-journey’ to solve the problem:

The Problem

Organisations are being breached by poor password hygiene practises by humans who have already been given a set of rules to follow

The proposed solution:

The (bad) Solution

Expand upon current policy statements but increasing password strength by increasing the number of rules a user must adhere to!

So, if you want to write a bad password policy let’s think of all the things you will want to do!

Copy this (please don’t copy this)

So, in your super bad IT/Security policy add something like this below (honestly you won’t make everyone hate you and everything will be super secure*)

*I’m lying!

Thou shall:

Ensure passwords are greater than 8 characters (or more)
Ensure that a password has at least 1 special character (e.g. *&^%$£!#@¬)
Ensure passwords use a combination of upper and lowercase often enforced by the presence of a single upper and single lower-case character required in the password string
Change your password every 30 days
Make the password easy to remember
Make the password long

Thou Shall Not:

Write your password down
Make it easy for someone to shoulder surf whilst typing the password
Use any part of your username
Use any personal information e.g. date of birth or phone number
Use a word or phrase linked to known associates or family members
Use a word or phrase linked to hobbies or interests (e.g. football teams)
Use a commonly known word or phrase
Use repeating sequences of numbers
Use repeating sequences of characters (e.g. two repeating characters)
Disclose your password to a third party
Re-use a password
Use a password which is known to be breached
Make a password too long

I could probably go on, but even writing this I’m starting to forget what I’ve said people can and can’t do… let alone be able to follow confusing and potentially conflicting statements. With a rule set like this, if enforced through technical controls your highly likely going to force people into positions of using passwords that are written down and simple to attack.

Herein lies the major problem, security controls needs simple solutions in order to help organisations remain productive and improve overall cyber security. On top of that the bad guys have access to crazy dictionaries and GPU rigs which can mangle wordlists and crack complex passwords even with the above madness policies!

Actually Improving Password Security

If you want to increase your authentication security posture perhaps consider the following:

Policy statements need to be clear, consumable, understandable and enforceable.
Policies should improve the position
Policies should work with people, process and technologies not against them
You need to introduce sufficient monitoring and audit tools to make sure that the password rules are being followed correctly.

So, with regards to improving password security, perhaps try the following:

Provide clear guidance to people as to how to create strong passwords or passphrases
Encourage the use of random phrases made up from random words such as (correct horse battery staple… but don’t use this one as it’s in all the password lists!)
Encourage the use of spaces in passwords!
Arm your help desk with this when creating or resetting system passwords: http://correcthorsebatterystaple.net/
Remember the phrase “Long is strong”, short and complex is weak!
Encourage the use of password managers
Implement account lockout thresholds to limit brute force
Implement two factor or multi-factor authentication
Implement authentication monitoring and alert on brute force attacks (and look for low and slow attacks)
Conduct password audits and reset passwords that can be guessed or easily cracked
Consider using breach notification services such as haveibeenpwned
Encourage and communicate with your user base, they are your ally and one of the first line of defence against cyber threats
Combine good password pratises with other defensive technologies such as Microsoft LAPS
Change system default passwords
Spread security cheer not fear!

Don’t just take my word for it, research has proven this is the case and these recommendations are in alignment with NCSC and NIST guidance:

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd

You can also see that guidance for security standards in cyber essentials has been updated to reflect modern approaches for secure authentication:

https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html

So, if you are still living in the past expecting humans to follow crazy rules for passwords, wake up! Get with the times, implement modern authentication solutions and get on board the security enables the business train leaving the 90’s security no world where it belongs, firmly in the past!

If your on your journey to improving your security posture or need help getting certified for cyber essentials or other security accreditations, feel free to get in touch and PSTG & Xservus will be more than happy to help!

Threat Week 04-08-2018

My OSCP Diary – Week 1