The Dilemma of Protecting the Thing that Protects

The problem of passwords

At current count, I have 406 different websites and accounts that require credentials in order for me to access my account data. If your users are like most people, more than half of those accounts use the same password, and that is not a good idea. Doing so means they are relying on the weakest of those websites to provide security for every website. This can also be a huge problem for you if they are using the same password to authenticate on your network.

What if I decided to use the same password for my local chat group as my credit card account access, and also my Active Directory account? Now suppose that the local chat group has their credentials database hacked. Many times, this is done without them even noticing. So now, my email address, username, and password are in the hands of a malicious, third party with every intention to use them. With very little effort, the hacker is now able to access any accounts that share the same password, including your corporate data.

With the recent media accounts of almost the entire United States having credentials stolen, it is not a matter of whether your users’ credentials will be used, but when will they be used. To be clear, it doesn’t matter how difficult their password is or how complex your password policy is. It only matters if that password is used more than once. Users MUST use a different password for every site. If you’re in charge of managing the IT infrastructure for hundreds of these users, you have the Sisyphean task of forcing updates, resetting passwords, managing inactive users, vigilant monitoring, and always staying one step ahead of malicious actors.

Additionally, users should be enabling two-factor authentication on every account that will allow it. Two-factor authentication (2FA) requires a second type of authentication in addition to a password. The best method of 2FA is a randomly generated number created by a code generator, since it closes the loophole on mobile account access. So really, you need a password management tool that has an integrated code generator to help users manage compliance with your password policy. You also need something that minimizes user training, one of the most time-consuming issues with implementing such a policy.

How to keep track

How can users be expected to keep track of 406 different passwords? Instead of writing all of their passwords down in a text file sitting on their desktop or even worse, on their cubicle wall, on a notepad, or on a post-it note on their monitor, I would like to recommend a better solution. Force your users to use a password manager. There are several excellent solutions including LastPass, and 1Password. They will help users generate new, secure passwords, and store them all in an encrypted database accessible on any device, including a mobile app.

LastPass even includes the ability to integrate with your existing IT infrastructure to set up and provision users. It allows you to force compliance with your new password policy throughout your entire organization and also allows you to enable 2FA for all accounts that allow it. LastPass also includes an integrated code generator, so a simple QR code enables auto-prompting authentication and 2FA code generation in seconds thereby reducing the most difficult hurdle in adoption – ease of use.

One password to rule them all

So, now you have deployed LastPass throughout your organization and users are generating random secure of passwords for every website. They are using 2FA and feeling more secure than ever. Congratulations! You are now in the top 45% of all Internet users[1]. Let’s not go and mess it up now. As you may be aware, in June 2004, William Burr created an eight-page addendum, titled “NIST Special Publication 800-63, Appendix A[2].” If you have not read it, you probably have unknowingly used its examples. It has been used as a guideline for password creation ever since its creation, and therein lies the problem. When everyone adopts the same standard for password creation, it makes it that much easier to “guess” passwords. You can check out an article describing the method here.

It boils down to this: Start forcing high minimum lengths for your passwords. Let us look at using four words, each of having at least 5 characters, as a password. It is easy to remember, but it is much more difficult to “guess.” For example, the password “jackhammered boats betrayal games” would take approximately 2.89 undecillion years (2.89 x 10^36) to brute force hack[4][5] (assuming 1,000 guesses per second and 27 character set (26 lowercase letters and a space)). Long after our sun has caressed the earth in a fiery embrace, this password will still be safe from brute force attacks. While you will still have to worry about man in the middle attacks, following this policy will mitigate the damage.

TL;DR/Conclusion

Setup a password manager like LastPass. Easily generate new, strong, random passwords for every site. Keep track of users' passwords inside the password manager across computers, laptops, and mobile devices. Manage your organization’s passwords across all users. Integrate LastPass with your Active Directory infrastructure to automatically deploy new users to comply with your new standard. Integrate LastPass with DUO (article coming soon) to secure your individual devices. Use 2FA everywhere you can. Report on compliance. Breath easier.

As always, please feel free to contact us about how to implement the password management solution that is right for you.

Lawton Brown is a graduate of Georgia Institute of Technology and Atlanta's John Marshall Law School. He is licensed to practice law in TX and GA. Lawton is the current president of XOGENT and has been in the software development and IT service industry since 1992.