As a FedRAMP consultant at MindPoint Group, one of the most basic security elements I examine is password usage policies across an organization. Secure password usage is a fundamental aspect of cyber hygiene. Passwords are the gateway to most of our systems and data, and unless you are running a Zero Trust Architecture, one password can gain entry for a bad player to your entire ecosystem. Good password hygiene, like longer passwords, can provide the first layer of defense for securing your digital ecosystems.
Passwords in the Modern World
The password has become the most used way for an individual to authenticate to a server or a service. Most individuals use an average of 25 or more passwords that can vary in complexity or requirements. This helps to illustrate the rapid growth of passwords as technology continues to expand and become a more vital part of our lives going into the future. It has become clear that the way we approach passwords and authentication needs to be re-evaluated and changed. With how things currently stand, users suffer from password fatigue and make poor choices, that while meeting minimum requirements, ultimately weaken their password and leave it vulnerable to attacks.
Some examples of poor password choices:
- Reusing passwords across multiple sites and apps
- Only updating 1 character of your password when required to update
- Writing down passwords and not securing the written-out passwords
- Using pets, people, birthdays, and anniversaries that are easy to guess
It is important to keep in mind that password requirements should not be removed from the environment, and instead, the entire information system should be re-examined to determine the necessary level of requirements that need to be enforced.
A Look at Password Strength
Password strength is typically characterized by the difficulty level associated with compromising the password. The two key factors that are typically looked at for passwords consist of password length and password complexity. Length and complexity have typically been compared equally in the past, but that may not be the case any longer. Using entropy, we can see longer passwords with just numbers (10-character choices) can have the same difficulty to compromise as shorter passwords with more characters available (ASCII – 128-character choices).
As password fatigue is becoming more prevalent, it has become increasingly important that correct calculations are done on password strength, as opposed to rough estimates. Using the entropy formula log(C) / log(2) * L, we can calculate where C is the size of the character set and L is the length of the password. Using the entropy formula, you can see that a password of 128 possible characters and a length of 8 is just as secure as a password with a length of 17 that is comprised of only numbers (0 thru 9) [Table 1].
With these common character sets and lengths as an example, it becomes clear that the defining factor for password strength is a password's length instead of a password character set. This is the main reason there has been a rise in the use of pass-phrases over complex passwords. Pass-phrases are easier to remember by the average adult instead of having to remember a password that is a mix of letters, numbers, and symbols and must be changed per company policies, such as every 30 to 90 days.
Pass-phrases are not the complete solution to the password fatigue that consumers of a variety of IT products face. Though simpler, straightforward, and easier to remember, it is still taxing on an individual to have to remember 5 or more pass-phrases for their daily lives and many more for any services or subscriptions that are used infrequently. It is common for consumers to use bad practices when creating passwords to make their daily lives easier, something that is true for pass-phrases as well.
Moving Away from the Password
Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules such as adding simple numbers and symbols that are easily guessed by computer. Consumers will also tend to write down passwords to help them remember or choose one password for a multitude of devices. The solution to these problems will depend on each system and its unique requirements based. One solution is to move away from the use of passwords as the sole authentication factor that is used. Implementing Multi-factor Authentication (MFA) allows the user to create passwords that are simple to remember and do not need to be changed as often while keeping the information system just as secure.
Passwords, while useful in providing authentication, are a solution that has started to become a problem. System owners are going to have to look at their system to determine if their password standards meet both security and business objectives. Passwords have been shown to be strengthened more by their overall length than by adding a series of complex and hard-to-remember numbers and symbols. While passwords can cause great fatigue on a user, password requirements should only be relaxed if a stronger solution such as MFA is used in the system.
Curious about Password Usage, Zero Trust Architecture, or Cyber Hygiene? The team at MindPoint Group is ready to answer your questions.