Gone are the days of cyber attackers brute forcing passwords. Now, businesses implement rigorous password policies, but how effective are these when they are combined with human nature?
We explore why rigorous password policies are creating the exact opposite of what they intend to do, and the only viable alternative – separating people from passwords.
The message about using ‘strong’ passwords is getting through. According to the Verizon DBIR report the instances of brute forcing passwords are reducing year on year (down to just 3% in 2014 ). However, as expected, as we fix one weakness cyber attackers are shifting their focus on to the next.
According to Clearswift’s article The Seven Deadly Sins of Cyber Security, 23% of people say they use the same passwords across work and home applications (so if a personal login is lost or stolen, your company network could be compromised too).
17% of people say they have shared their passwords with others at work, and 13% would loan someone else their work device to use, opening up access to their private information.
Rigorous password policies are creating the exact opposite of their intended outcome.
Complex password policies are creating the exact opposite of their intended outcome. This is due to two factors. First, as humans need to remember passwords, they are heavily biased towards patterns. A typical policy would state that a password needs to be more than 12 characters long, contain upper and lowercase characters, some digits and a punctuation mark. Furthermore, some policies state that the user needs to change their passwords every 30 days.
Humans tend to follow instructions serially. First they think of a long word; for example, ‘Manchester’ – this has upper and lower case and takes up 10 characters. ‘ManchesterFC’ would be a useful alternative, taking up 12. For the digits, most users would start with the year, so ‘ManchesterFC2015’ works. For the punctuation character ‘.’ followed by ‘!’ are the most common choices, so we are at ‘ManchesterFC2015.’ After 30 days our user is faced with a forced password change. Typically, they will choose ‘ManchesterFC2015.10’ where the last two digits are the current month.
Now we have a solid 18-character password, beyond the reach of the 14 character LM hash brute force, which on the surface seems great. But unfortunately, football clubs are very popular choices for passwords; ‘Manchester’, ’Liverpool’, ’Chelsea’, ’Arsenal’, and ’Tottenham’ quickly cover the top five. Year, Month and ‘.’ are commonly used. Therefore the combinations of all these are very easy to compute. However, there are still too many to directly brute force.
This is where the second element comes in. If we were to take all the common combinations of the above, we could set a user’s password and record the resulting hash. The hash is the result of passing the password through a complex one-way algorithm. Now imagine that we’ve done this 131 billion times. If a hacker were to obtain a user’s password hash they’d have a great chance of recovering the original password.
86% of passwords are simply stolen from the desktop.
The whole situation worsens when the policy requires different passwords for different systems. This leads users to write them all down in something useful, like a spreadsheet stored on their desktop. It’s no wonder that 86% of passwords are simply stolen from the desktop.
Given the above information, it’s worth a moment to reflect on your password policy. How many of your users would have chosen one of those 131 billion passwords? Given this, it becomes difficult to prove the identity of who did what. This is of course amplified where several users are sharing a password to a particular device account.
Having read the above, you may be thinking you can’t trust your staff with passwords at all, but the vast majority of your users will use online banking. You can be sure that where their own money is concerned they chose strong passwords.
The banking systems do not ask for password changes every 30 days, yet historically, banking systems have proven secure. Online banking authentications systems use a second factor of authentication. The key point here is that banking systems seek to prove identity. Identity is the real key to security. In the corporate world, we really need to know who did what, where and when.
Identity is the real key to security. In the corporate world, we really need to know who did what, where and when.
Osirium’s privileged access management solution, Osirium PAM, works on the principle of separating people from passwords. Users still keep their personal passwords, and identity can be enhanced by two-factor authentication. Profiles then map identities into specific roles on specific devices, applications or systems. This means that your users can reach the systems that they need to, but they can get no further. Now users cannot use a connection to one system to jump to another.
Using this approach creates real accountability. Whereas before you could have a situation where a team of people could all use a shared password to systems, now you have identities having sessions on systems. This provides businesses with the ability to know who did what, and when, meaning there’s nowhere to hide wrongdoings.
This simple approach to managing privileged accounts provides a wealth of security and significantly reduces your companies attack surface, by taking the passwords you want to protect most out of the hands of your staff.
If you’d like to find out more about Osirium PAM, please contact us.