Today I would like to discuss one of the most commonly misunderstood issues in security awareness and education, passwords. I believe that protecting your passwords are important, especially now as we move to cloud computing and just about everything you do online requires a password. However, what we are teaching people about passwords is outdated. How people use passwords, and how threats attack them have radically changed in the past ten years. Unfortunately, what we are teaching people has not kept up and I'm hoping we can start changing that. In addition this post is in part motivated by the excellent paper The Rational Rejection of Security Advice by Users by Cormac Herley which I will be referencing. Before we begin, two key points.
- Unlike Cormac's paper, I am not focusing on the home user. Instead, I'm focusing on password awareness for organizations. Oragnizations have FAR MORE to lose if/when a password is compromised. Unlike individuals, organizations have to cover the costs if their bank account is compromised. Unlike individuals, organizations can be fined if they are not compliant. Finally, passwords are the keys to organizations' intellectual property, which in many cases can make or break an organization.
- When discussing threats, I categorize them into two general categories. Threats that randomly target everyone (typical cyber criminal) and threats that focus on a specific target (such as APT). This distinction becomes very important when discussing passwords
In Cormac's paper he raises seven common issues in the education of password use. I'm not going to review what Cormac discusses, as you can read his paper. Instead, I'll share my thoughts on the seven points.
- Password Length.
- Password composition (digits, special characters, etc)
- Don't write it down.
- Don't share it with anyone.
- Change it often.
- Don't re-use passwords across sites.
Points 1-3: These points are old school, these are from the days when threats would brute force websites or attempt to crack stolen password hashes. Ten years ago password complexity was important, nowadays not so much. Think about it. For threats randomly targeting anyone, how do they get passwords? As always threats go for the path of least resistance, which now a days means malware. Millions of computers are infected with viruses such as Zeus which capture keystrokes and log passwords. As a result, making sure your computer does not get infected is how you protect your passwords, not complexity. If you are dealing with advanced threats, such as recently happened with Apache, once again password complexity is not going to help you. If the threat is motivated enough to target you, and has the skills and knowledge to steal your password hashes, then complexity is not going to buy you much. Five years ago it would have taken a long time to crack your passwords. Now a days with rainbow tables, advanced processing power, and distributed computing (i.e. botnet) your password is not going to last. Yes, if you have fifteen plus random characters in your password you may delay the inevitable, but come on, if what you are protecting is that valuable then you need to rethink your authentication mechanism (such as two factor). So how long or how complex should you or your organization's password be? I leave that up to you, that is a risk decision only you can make. There are still some simple brute force attacks happening (SSH, Conficker attacks over network file shares, etc) so some complexity is required. However my suggestion is don't make a huge deal out of it, the threats have changed and you can get far greater Return On Investment (ROI) focusing on other areas.
Point 4: Do not write your passwords down. WTF? I just counted my passwords (which I have written down by the way), I have 80+ accounts with passwords. How can I possibly remember them all? I can't, I check my password list at least several times a week. Do I stick them on monitor? No. I have the locked up in a secure cabinet. Don't like writing your passwords down on paper, then use encryption programs designed for securely storing passwords (iPhone has lots of options).
Point 5: Don't share your passwords. Okay, for individual home users this may not be such a big issue (as Cormac points out in his paper). For organizations, password sharing is a BIG deal. Passwords control who has access to what. When your organization has different types of confidential information, by sharing passwords employees could accidently (or purposely) bypass data control measures. In addition, passwords are how organizations track who did what. Everyone must have a unique identity. If employees are sharing passwords, you just lost your ability to track what is happening in your organization.
Point 6: Change your passwords often. Once again, not a big fan of it. Think about the threat models again. If your computer is infected, your compromised password will be leveraged within hours, in some cases even in real time. If you are dealing with advanced threats your passwords will most likely be cracked before the time limit. As a result, nowadays changing passwords every ninety days mitigates little risk and yet has a high cost to your users.
Point 7: Don't reuse passwords across sites. For this one I do agree on. I don't use a different password for every single account. Instead I make sure my 'low valued accounts' don't have the same passwords as my highly private accounts. In other words I don't use the same password for Twitter or Flickr as I do for my online banking or confidential work activities.
In addition, I would like to add two additional rules organizations should include with password awareness. Five years ago these issues were not a common problem, now a days there are. Once again, we have to adapt and change as our environments do.
Public Computers: Don't use public computers to log into work or confidential accounts. In other words, don't login from a cyber cafe or a hotel lobby computer to do your online banking. Remember malware such as Zeus? Odds are one of those public computers may be infected and your passwords are now owned.
Private Questions: I HATE this. Many online services don't like paying for a help desk that resets people's passwords. So many online services (i.e. cloud computing) have people answer personal questions. If you forgot your password, the idea is you do not call the help desk, you just answer your personal questions. In reality what has now happened is people have twice as many passwords to remember. In addition, users often don't realize this and often put these very answers (their personal information) online, so it can be found on Google, Facebook, etc (can you say Sarah Palin?). We need to teach people to be careful that when they answer these questions, these are nothing more then another layer of passwords.
Long story short, protecting your passwords are important, especially for organizations. However, what we are teaching people is outdated. Threats that randomly target people seldom crack passwords, instead they infect your computer and log your keystrokes. Threats that target specific organizations (such as Apache) have advanced capabilities that can crack complex passwords. Some complexity is important to protect against the more basic attacks (SSH brute force, Conficker file shares, etc) but more important now is how passwords are used. Finally, while passwords are important I strongly feel other topics can give you even more ROI, such as the basics of securing your system and an understanding of common social engineering attacks.