Each year, Verizon and other organizations release reports on the prior year’s data breach findings. A common theme each year is that majority of the breaches involved compromised credentials which still are a weak control area that attackers continue to use to gain access, move laterally, and to exfiltrate data from organizations.
End user security awareness training is a great method for helping reduce the risk of credential compromise. However there are other compensating and complementary controls, technologies and resources for users to protect their passwords.
First, organizations and end users need to be educated about proper password creation. For many years we in the information security community have touted creating complex passwords as a safeguard to increase entropy and have stressed frequent rotation of passwords. All this has done is made people bad at remembering passwords, forcing them to create and/or store passwords in vulnerable manners which hackers can either find, crack or recover. This has been wonderfully demonstrated in the xkcd web comic “Password Strength”:
Furthermore, the National Institute of Standards and Technology (NIST) in its recent draft Special Publication 800-83-3 has changed their recommendations to meet length, not complexity, as well as other password hygiene approaches such as less frequent rotation and black listed passwords.
To meet these requirements, we train our clients to use language such as passphrase instead of password, and to use random nonconnected words (just don’t use “correcthorsebatterystaple”!) to achieve desired password strength. Note, I do want to point out that with some of our password cracking tools, we can use multiple dictionary and word lists to attack random word passphrases. Therefore, I still encourage you to add complexity by character substitution and special characters in passphrases.
Check If Your Password Compromised
A great resource to check if a password has been “dumped” on the open Internet or dark web, is to see if passwords you want to create or regularly utilize have already been compromised in a breach. Security researcher Troy Hunt put together a terrific resource, have i been pwned? (https://haveibeenpwned.com/). This free service allows you to see if your email or user name, domain, or password have been compromised as part of a data breach where the credentials were publicly leaked.
In security, not only do we recommend that end users meet the password requirements outlined above, but for users to create different passwords for each login (work, Facebook, Gmail, LinkedIn, etc.). This way when an account is compromised on one system, the credentials cannot be used on other platforms. Thus, everyone who manages anywhere from 25-50 different credentialed accounts, has only six or so passwords they use. Unless users are enabled, they will not accept this challenge. This is where password managers come in.
A password manager assists in generating and retrieving complex passwords. The password can be stored in an encrypted database or calculated on demand. The beauty is through a browser plugin, these managers will generate, store and manage passwords for you. All you need to do is set-up a single master password for your vault.
This of course begs the question, “What if the password managers get compromised?” While a risk, it is very low. This is their business and they use multiple layers of encryption. Also, for added security, I enable two-factor authentication (discussed below) on my password manager. This was if my very long LastPass master password gets “pwned”, it still requires a second factor, or two-factor, authentication for protection (that also has to go through a finger print authentication).
The following are some of the more popular password managers. They come with different features, all support mobile apps, and have free editions. I personally use LastPass and have been very happy with it.
Two-factor authentication (“2FA”) offers a great solution to protecting accounts that are secured by only a single combination of a username and password. Additionally, 2FA is a great compensating control and can serve as a safety net for bad passwords if you are having difficulty adopting better policies in your organization.
2FA requires that after the initial user name and password is used for authentication, an additional biometric identifier (something you are), or a pin or token (something you have) is used to further verify the login session.
In the past, 2FA solutions were costly and cumbersome to implement. Now with cloud and mobile platforms there are several solutions for 2FA in the enterprise and for personal use. The following are some solutions, but not all that are available. Do research to find what will work technically and culturally within your organization. You may also find the need to use multiple 2FA solutions.
I personally use Duo more than the other platforms. It can be used simultaneously for personal and enterprise accounts (e.g. a single app for your personal use and work accounts). Duo does have some free solutions, and their paid versions are very reasonable for enterprises at only $3 per user per month. Additionally, they have started to add more mobile device management capabilities for a few more dollars per month.
Duo supports push to device app, text message, phone calls, and soft token for second form of authentication. You can also add multiple devices. This way in case your phone dies, you can push to an iPad or secondary phone number if needed.
Google has a free authenticator app that supports their products (Gmail, etc.). With 2-Step Verification enabled, you enter your password then the soft token code the application generates. It is worth looking at for your Google personal and G Suite business accounts.
One challenge I have had is with third-party applications (Google refers to them as “less secure” applications) such as Outlook with Google Authenticator. For these applications, you will need to generate App Passwords and if you are prompted by an application for a new password after turning on 2-Step Verification, you must sign in using an App Password. This adds to the administration overhead to allow users to use app passwords as well as increase some of the time for user education.
Microsoft has added free 2FA authentication in their product stack particularly around Azure and Office 365. With these accounts, you have the option to enable Microsoft Authenticator.
Microsoft Authenticator supports push notifications to devices, soft tokens, and SMS/phone calls. For any of my Azure domains and Office 365 (‘O365”) accounts, I have it set-up for Outlook Web Access (“OWA”), OneDrive, and Admin account logins. However, with certain Microsoft Authenticator integrations that won’t natively support 2FA authentication, you will need to set-up application passwords. (https://www.windowscentral.com/how-generate-app-passwords-your-microsoft-account).
While free and rather feature rich if you are on the MSFT cloud stack, I personally found it the hardest to administer. Their documentation can be a bit difficult to find and some of the options are buried in areas of the admin panel that are not very intuitive. However, with so many people moving to O365, it’s a no brainer for end user OWA access on a budget and if you don’t need all the other integrations that something such as Duo supports.
Passwords are still a necessity in modern computing environments. While there is a lot being done from the Operating System to applications to change the way users authenticate, we will still be using the username and password authentication method for some time. If you can enable users in the areas described above, you can reduce the risk from compromised credentials becoming the weakest part of your organizational security program. If nothing else, these resources create an information security mindset and culture that can assist with a program’s overall success!