The Malta Independent on Sunday
How to protect and manage your P^$$W0Яds
A password confirms identity and, as the term implies, allows passage. The concept of demanding confirmation that you are who you say you are, in exchange for something of value has been around for a long time.
One of the first references is in the sixth book of Polybius’ Histories, which was written in the second century BC. Polybius describes a method used to enable the night guards’ watchword (i.e. the password) to be delivered to all the guards who require it.
When one thinks of the origins of the password, a more modern example that comes to mind is a 1989 video game called “Where in Time is Carmen Sandiego?” This game had a rather intricate way of ensuring that whoever was playing the game was the person who actually owned the game. In- cluded with the game was a hard copy encyclopedia running to a 1,000 pages. This was the main point of reference for clues to the whereabouts of Carmen Sandiego. Moreover, after each level, the game would ask the user to provide a word from the book. Bearing in mind that scanners were not commonplace at that time, to photocopy a 1000-page book would probably cost more than the game itself. So, the user had no choice but to buy the original game with the authentic book to find the password required. Genius!
Today, a large part of our lives is stored either in a cloud system, on local computers or on mobile devices. This includes pictures you may hold dear, private e-mail conversations, scanned copies of confidential documents, etc. Information is valuable and private. Systems holding such information need to be configured in a way that prevents malicious or accidental access by others. A password is one of the mechanisms used to prevent unauthorised access.
Passwords are one of the most common methods of authenticating users. Yet the way in which we have set password standards are not as secure as we might think. Bill Burr, a manager for the US National Institute of Standards and Technology (NIST), regrets his decision of writing today’s de facto standard and official guidance on password security requirements (i.e. “NIST Special Publication 800-63. Appendix A”). The main issues with today’s password standards are the following: • Passwords can be forgotten. The biggest downfall of passwords is human memory. A password must be memorised, otherwise access to the system will not be allowed. Remembering a credit card’s 4 digit pin can sometimes be a struggle, let alone having different passwords for the different systems. The cherry on the cake would be when companies enforce password policies which state that a password must include special characters, capital letters, and numbers, and that the password must be changed to a new one every 90 days. What tends to happen is that users tend to rehash the same password by changing the first and last characters, defeating the original purpose of the control. • Passwords can be guessed. Films have highlighted this issue many times, showing the main protagonist somehow circumventing the password mechanism of the antagonist’s computer as cat or relative’s name is known. As a general rule, unless passwords have enforcement rules in place, people tend to use the easiest password they can remember. • Password can be spoofed (i.e. stolen). Sending a password over unencrypted communications links could enable an attacker who resides on your network to steal the credentials used to authenticate to the sys- tem. Other ways in which this can happen is through spam email (most often referred to as phishing and spear phishing attacks). There is no doubt that we have all received spam emails from fake websites asking us to change our password on their system. In this manner, the attacker can trick the user into giving up the credentials to gain access to our systems. All is not lost. The latest set of NIST guidelines (i.e. NIST Special Publication 800-63B) have come up with a number of suggestions that tackle most of the issues mentioned above. Some of the highlights of the new framework include the following: • Change of user passwords. Multiple studies that have shown that requiring frequent password changes is actually counterproductive to good password security. The framework highlights that passwords should not be changed periodically and should only be changed is if there is evidence of a password compromise. • Password complexity. Password creation requirements that include upper/lower case letters, symbols and numbers enabled is proven to be worse in terms of password security. It is recommended to start using what is being referred to as “passphrases” - a number of words combined together which maximise the benefit of long passwords. Even if you had to calculate it mathematically, it takes less time to brute-force a complex 8 character password, than for a 12 character lowercase-only password. • Commonly used passwords: These should be avoided and systems should not accept passwords that have been identified within dictionary lists and known compromised passwords. • Password Managers: It is recommended to use tools that help users to memorise their passwords and increase the likelihood that users will choose stronger memorised password. Examples include LastPass, 1Password, KeePass, etc.
Only time will tell whether this latest set of guidelines will be able to withstand new and upcoming threats. One can also argue in favour of newer approaches in authentication such as the biometric techniques begin introduced at the moment e.g. Apple’s Face ID - a facial recognition system being shipped with the iPhone X. As with any system, facial recognition will have its own limitations, but memorising a password will no longer be an issue, which is a good thing. Until such systems are a standardised implementation in the technology we use on a daily basis, we will have to ensure that we keep our passwords secure. Bernard Farrugia is an IT Audit Manager in Deloitte Malta Risk Advisory. For more information, please visit www.deloitte.com/mt/risk