Passwords are stuck in the past
When it comes to data breaches, passwords being exposed are often the greatest concern. If a password is exposed in a data breach, it can be used by bad actors to attempt to hack the user's other accounts on various Web sites they use.
So said Troy Hunt, founder of breach aggregation site Have I Been Pwned, who was presenting a keynote at the ITWeb Security Summit 2021 this morning.
He said back in the 60s, computers took up an entire room and people needed to be physically there to access them. The extremely limited connectivity made for a relatively simple threat landscape. Only those in the immediate vicinity could be “adversaries”. However, over time this extended to remote users who could dial in, thus growing the threat landscape.
From there it snowballed – more connectivity, more accounts, more cyber criminals, all of which led to more data breaches.
But the way passwords worked then is still fundamentally the same today. Users have two strings (a username and a password) and if someone knows them both, they can log in. However, authentication has evolved since then, and the way we create and manage accounts needs to change, yet many modern businesses still apply the patterns of yesterday to today’s threats.
People take shortcuts
People are good at finding ways around security solutions, which is a problem. Because simple passwords can be easily cracked, the industry decided to create password complexity criteria, by insisting on a certain amount of characters, at least one in uppercase, one in lowercase, a number, a special character, and so forth.
The way passwords worked then (in the 60s) is still fundamentally the same today.
So instead, users began to use passwords like “MySafeP@ssw0rd!”. This may appear to solve the problem, as it meets all the complexity criteria, but it also shows a very recognisable pattern, Hunt noted.
It is human nature, for example, to uppercase the first letter, and add an exclamation point or a ‘1’ at the end to satisfy at least two of the criteria. This behaviour can be found around the world. If you ask the same questions, you will get the same answers. “This is what people do,” he says.
Similarly, if the organisation insists on changing passwords every few months, users will simply change to “MySafeP@ssw0rd!2”, highlighting that there is clearly a problem with this approach, and it needs to be changed.
The National Institute of Standards and Technology (NIST) gave some solid advice, and recommended only asking users to change the password on an indication or suspicion of compromise. They also advised the removal of 90-day password rotation policies, as all this does is lead to predictable behaviours, causing users to select weaker passwords than they would have had they created one from scratch to use for a long time.
People take shortcuts when you force them into arbitrary patterns of creating passwords. The bottom line – when we enable users to make these choices, they end up making very poor decisions and the hackers have worked this out, Hunt said. “They have password cracking patterns and dictionaries that reproduce these very predictable human behaviours. That's why we don't want to do this anymore.”
I'm a big proponent, and have been very publicly for more than a decade now, of a digital password manager.
Hunt also warned against re-using passwords. “Many people have three passwords, one for the really secure stuff, one for the medium secure stuff, and one for less good stuff. And you just know what sort of passwords these are going to be – they're going to be terrible.”
If someone gets into one account, they can use that to systematically go through and unlock all the user's other accounts. “Uniqueness, more than anything, is absolutely critical. And we can't use our brain to memorise all that so we have to record it in some way. I'm a big proponent, and have been very publicly for more than a decade now, of a digital password manager.”
If you can't use a digital password manager, a good old-fashioned notebook works just as well, Hunt concluded.