The Problem with P4$$WORDS!
Author:Michael Wonham, Cybersecurity Chief Technology Officer for Europe, CSC
Passwords are almost universally used as the primary means of authenticating the identity of a person for computer systems or applications. They may come in different forms — such as alphanumeric text, PIN digits, passphrases or “select A from B” systems — but they all share the same characteristics.
This paper, The Trouble with P4$$WORDS!, explores how passwords provide a sense of security that can be highly misleading. Security professionals agree that although authentication by password alone is used the vast majority of the time across the Internet and in enterprises, more robust authentication systems provide better protection.
Authentication systems can have a significant impact on an organisation’s operations. In a world where outsourcing is increasingly the norm, and where Software as a Service (SaaS) solutions, single sign-on and federated identities have become common, the service management issues of identity and authentication take on a more visible and critical significance. They also become external costs and therefore visible to the organisation.
As a global IT services provider, CSC has found that up to one-third of all service desk requests at peak periods may be the result of password-related issues. Over an 18-month period, 15% of service tickets are password related. There is no obvious correlation between the requests and the type of system being used, although having multiple systems can have an effect. In one extreme case, 60% of all service desk tickets arose from password resets, which could have been due to the combination of a 60-day password change policy and the existence of multiple authentication systems.
CSC has also found that technology solutions can cause unintended problems. Without careful planning and architecture for authentication systems, issues with synchronisation become visible and can cause account lockout. Automated password reset systems address the symptom rather than the problem. Whilst automation reduces the number of service tickets (and the visible cost associated with them), users need to know what they are doing. Automated systems may not improve the speed of resolution, which can maintain, or perhaps worsen, the invisible cost impact.
The Company's View
Companies will want to address both the security of their environment and the cost to maintain that security. As with all things, this becomes a balance of cost versus risk. Three factors affect this balance:
- Password policy: complexity and frequency of change
- Multiple systems: number of passwords to remember
- Recovery process: accessibility and response time
An organisation must balance these factors to achieve an acceptable level of risk versus the cost of maintaining the security level. Each organisation will need to determine that balance point based on its own understanding of the risks and threats. CSC usually suggests that some strategic investment can provide a longterm improvement in risk, whilst simplifying the user experience and reducing the visible and invisible impact of password failure. When weighing these factors, bear in mind:
- Increased password complexity allows reduced change frequency.
- Multi-factor authentication reduces change frequency AND increases security.
- Single sign-on reduces complexity and password failure.
- Passwords on their own do not constitute sufficient security for many activities.
- Password recovery must be as secure as the asset the password is protecting.
The Attacker's View
Hackers are in a race to find vulnerabilities before defences can respond. Zero-day vulnerabilities that result in information breaches cost money to find, develop and exploit in practice. In a remote attack, there are many layers of defence between hackers and their targets. But if the attacker has access to passwords, those defences crumble very quickly — and, worse, the activity looks legitimate.
Systems can be further compromised to facilitate future use. As a result, much of attackers’ energy goes towards attempting to recover passwords. There are many ways they can do this, but the approaches fall into a small number of categories and attack vectors, each of which has a corresponding set of standard defences. The following table shows that password policies can be of limited use.
What’s notable is that password complexity and expiry controls do not have a significant impact against the attacker when one considers the number of attack routes that can be exploited. What is needed to properly defend against attacks on authentication is a variety of controls, including:
- Password controls
- Multi-factor authentication
- Anti-malware controls
- Privileged access controls
- User education
- Activity monitoring
- Effective monitoring of the environment
Effective use of these controls can reduce the importance of the classic password. This does not mean that password controls should not be used; but as passwords become less important, the risk is reduced, the user experience is improved and the cost of security to the business — in time lost and in IT requests — is also reduced.
Faced with a well-managed combination of the controls above, attackers have a much more difficult time exploiting a system. They must exploit vulnerabilities in the software rather than the people, which is more expensive and time consuming, and results in a reduced chance of a successful outcome.
Learn About the Mathmatics of Passwords and Get Security Tips
Download the full paper and learn more about what companies can do to strengthen passwords and how combinations of other authentication methods can greatly enhance security and user acceptance. Contact us to learn more.