Guest Post - Limits of Password Security Awareness

[Editor's Note: This blog is from Geordie Stewart and is part of a new series where we get insight from other security awareness professionals.  Every organization and their security awareness program is different.  As such, every organization has a different story to tell and different lessons learned to share.  This is one of those stories.] Security Awareness is a valuable tool in the security toolbox which helps protect information systems through defence in depth. However, like any tool, Security Awareness has its strengths and weaknesses. Our job as security professionals is to understand those strengths and weaknesses so we can advise management on the best way to employ the tools at their disposal. Sometimes, tools can be effective but still not be efficient for the context in which they are being employed. Sure, you could cut down a tree with a chisel but even if you were successful people would still think you were the village idiot because it would have been better to use an axe. There’ve been a large number of password database disclosures this year including LinkedIn, Yahoo and Gamigo which have made for interesting analysis. Crazy passwords are still in common use. “Password”, “1234” and “QWERTY” are all routine combinations. It’s great to have some data to analyse, but what conclusion should we draw? Sure, on one hand, there are some depressingly naive users out there. But what’s the answer? Is this just a security awareness problem? Let’s pause for thought before we jump to the conclusion that more training is needed. Surely a bigger question is why on earth are LinkedIn and Yahoo allowing users to have passwords like “1234”? As a general rule, users will use the simplest password they can which meets the rules of the system. Ergo, the system’s simplest password needs to provide an adequate level of protection from guessing attempts. Therefore, from an engineering perspective these systems were wrongly designed. For years we’ve been focused on complexity and as a result users come up with combinations like “Password1” which meet our complexity rules but don’t effectively mitigate our risks. We need to change. We need to stop talking about password complexity and start talking about password commonality. Its password commonality which causes the biggest vulnerability to brute forcing and guessing attempts, not a lack of complexity. Complexity no longer has relevance that it used to since the widespread introduction of controls on password attempts. Consider that a system which limits attempts to 5 per 30 minutes will “only” allow 240 attempts per day. To try all combinations of just a three character alphanumeric password on such a system would take nearly 3 years. Trying all combinations of an alphanumeric four character password would take more than 27,000 years. Authentication mechanisms are much more likely to be compromised by password database disclosures, password re-use and key-loggers. Potentially, we’re doing more harm than good by occupying valuable (and limited) audience attention spans discussing complexity for a marginal return. Its common on airplanes to have limiters installed which restrict the degree of banking turns that an aircraft can make. Sure, the pilots are fantastically well trained and very risk aware. But the systems they use are still designed to prevent dangerous actions. We should be applying the same principle here. It seems the blindingly obvious, but why isn’t password blacklisting in widespread use? Its not enough to just have complexity rules, we need ways of banning specific common passwords. “YourOrganisationName123” is another common password that should be routinely banned. The big vendors such as Microsoft and Oracle make it very difficult to ban passwords without buying 3rd party products. This needs to change. We need password blacklisting as standard on authentication systems. A good start would be to ban all the known problem combinations from our systems. Part of knowing and playing to your strengths is acknowledging your weaknesses. As an industry we need to acknowledge that while we can help optimise password security through our communications, we’re not always the primary fix. Sometimes it’s an engineering problem. Distributing more facts to users isn’t always the best ways to fix our security problems. We also need to be ergonomics champions on behalf of our users and push back against shoddy engineering designs. There’s no point transferring risks to users if it’s then going to cost considerably more to manage. I guess to use my earlier metaphor, user training in this instance to solve the password complexity issue would be the chisel approach – why chip away when you could use an axe on the root of the problem by designing systems to avoid known problem passwords? While password complexity is a traditional topic, it’s no longer of much use to our users and it’s time for us to move on. Our communications need to be concentrating on other higher return topics such as phishing and password reuse. BIO:  Geordie Stewart, MSc, CISSP, is the Principle Security Consultant at Risk Intelligence and is a regular speaker and writer on the topic of security awareness. His blog on information security risk communication is available  at  http://www.risk-intelligence.co.uk/blog. His particular interests are how marketing and safety risk communication can be used to promote more  effective  approaches to security awareness.