Twice a year the SANS Securing The Human team and our Board of Advisors do a complete review of every module in our security awareness training.  One topic that proves to be a challenge every time is what do we teach people about passwords?  This is a very hot and every changing topic, and to be honest some people seem to have an almost religious approach with passwords.  The challenge is passwords are very important, but at the same time very confusing.  Researchers are constantly publishing papers with the latest advances in cracking passwords, while at the same time websites are still limiting the number of characters in passwords or the type of characters that can be used such as spaces.  In addition, most people focus just on password complexity, with little emphasis on how to safely use the passwords.   Ultimately, we have to remember we are trying to change human behavior, we have to be careful with not overwhelming people, we have to focus on the fewest learning objectives that will have the greatest benefit. With our new 2013.1 update this is what we are looking to focus on for passwords.

  • First, length is the most important element of a strong password.  As such you want to move to a passphrase, the idea of multiple words.   Theoretically you would not need to worry about the use of symbols or numbers if your password is long enough.  Unfortunately we have to deal with reality.  Many applications limit the number of characters in a password or require symbols/numbers, as such you need to teach people how to easily integrate them.
  • One of the key risks we are seeing organizations reporting is not just complexity, but password reuse.  Once a password is cracked cyber attackers can quickly gain free reign into other accounts.  As such we are putting more focus there.
  • You would be surprised how many organizations we work with report that password sharing is a problem, including supervisors requesting an employee's password.  As such we emphasize the need for never sharing passwords.  In addition, if people "accidentally" share their password with someone, or they believe it has been compromised, we teach people to change the password immediately.
  • You know what the most common way a password is compromised?  Its not password cracking, its keystroke logging (Zeus anyone?)!  It does not matter if you have the most complex password in the world, if the bad guys can record your keystrokes game over.  So, one of the most important things to protecting your password is using a secure computer and never login to a site on a public computer such as those you find in a hotel lobby.
  • I'm personally a big fan of password storage solutions, unfortunately that is often not an option in organizations.

There are several other points we cover but these are the big ones.  To be honest, I hate passwords, they simply do not scale.  I'm a big fan of two-factor authentication (Google has done an AWESOME job leading this) but until organizations / sites adopt better solutions, we have to work in the reality of the world we live in.