Why couldn’t they have left passwords in peace? Before the Internet turned up to spoil things, passwords and user names were familiar only to IT staff and the few workers who used computer systems built around LANs and early client-server systems. Passwords were tedious but everyone was happy. Nobody cared whether a password was ‘123456’ because it was inside the head of a technical person who used it to access often quite isolated systems.
Post Internet, passwords had a big advantage – they were cheap. They stuck around. We’d like to write that the ‘rest is history’ but the crisis of passwords is still with us today so much so that Britain’s GCHQ and the CPNI recently published new guidance for businesses and consumers alike that offered some surprisingly unorthodox advice on how to use them.
It’s a thoughtful and well-written document that challenges some of the assumptions that still get made about password security, its benefits and disadvantages. But while some remain sceptical that an organisation that devotes its time to breaking passwords systems should be trusted, we'd suggest that the bigger issue is simply that it omits important advice.
The tone is set by the introduction written by GCHQ’s head Ciaran Martin:
“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users,” he writes. “They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.
GCHQ password advice - what’s the password ‘problem’?
People re-use the same ones over and over, hackers trawl networks for important ones, simpler ones can be broken using brute-forcing, they can be keylogged or shoulder-surfed, people can be socially engineered into handing them over, databases storing them can be insecure – even encrypted ones.
How many do people use?
More than 22 each, GCHQ believes although many others probably have two or three times that number and rising. The problems is passwords are forever. Leaving passwords to ‘rot’ on e-commerce systems
- Reset default passwords. You’d assume this was obvious by now and, indeed, consumer products such as broadband routers now force a passwords to be set from scratch. Progress.
- Be incredibly careful with admin accounts. Limit and control them to the nth degree. Again, this is obvious and a growing number of firms are rationing and managing them using privilege management and other technologies.
- Use multi-factor authentication for all important and admin accounts.
- Implement account lockout mechanisms to defend against brute force attacks.
- Hash passwords in databases to SHA256 or equivalent.
- Regular password changes can harm security – users should only change passwords when a compromise is indicated. This flies in the face of a lot of advice that passwords should be changed on a timed basis. “This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.”
- Password strength meters have limitations when it comes to checking self-generated passwords. This caused some fuss about in truth password meters are pretty old-fashioned these days. Machine generation is a more standard approach as long as the passwords aren’t too complex for people to remember.
“GCHQ advocating a ban on strength meters may surprise some, but also seems smart. We analysed 12,000 cloud services and found that a whopping 80 percent would allow ‘weak’ passwords according to the traditional strength meter, but the meter may be measuring the wrong thing and leading us to choose passwords that are difficult for humans to remember, but easy for computers to guess,” commented Nigel Hawthorn of Skyhigh Networks.
GCHQ’s password advice – omissions?
Two words: data breaches. No matter how good a password if the attackers bypass it by stealing personal data from poorly-protected databases the technology becomes powerless. It is ridiculous that passwords and credit card numbers are encrypted but people’s personal data usually isn’t. Passwords are only one part of the issue.
The experience of data breaches, where credentials are often abused for long periods, does seem to contradict the guidance that changing them can end up being less secure. Software such as password managers can automate the process so that strong ones are always chosen. Negating some of GCHQ’s concerns.
Surprisingly, not that much is made of multi-factor authentication where its use is suggested for remote accounts. But many accounts are remote these days as workers become mobile and the cloud is rising in importance. The old notions of internal and remote seem a bit out of date.