Let’s Train Consumers – and Companies – to Think of Passwords Differently
By Dimitri Fousekis
It’s a new year and yet already 2017 has a familiar ring to it with big breaches and their fallout still in the headlines. And at the heart of many of these cyber heists and data thefts is one of security’s biggest (and unfortunately perennial) vulnerabilities: passwords.
With every publicized breach comes both advice and admonishments prompting people to consider changing their passwords to protect their assets. More websites and applications are requiring stronger authentication, such as a minimum length of alphanumeric passwords to access emails or cloud-based services. But those efforts can easily be undermined if the user leaves those new passwords somewhere where they can easily be accessed by malicious persons. Users, though, can’t be fully blamed for breached websites or leaked data — that falls on the companies that store passwords within their own environments.
Users choose a password in multiple ways. For some, it requires little thought and is simply based on their birthdate, name, family name, pet’s name and so forth. For others, it’s so daunting to choose that “good” password that they ultimately write it down somewhere or worse, email it to themselves because in a matter of minutes they will forget it.
This password retention problem has been discussed by many information security experts, and at many cybersecurity conferences. There are psychological and environmental factors, among other criteria, that play a role in what password someone chooses. However, what poor password selection and protection most suffer from is a failure to understand the ownership of data and the criticality of that data.
For many, a password is just a means to an end: “I need to enter it here to get there, and it’s going to annoy me.” There is little understanding of the password’s vital role in data protection. This also creates a barrier between understanding confidential vs. publicly accessible data, and that what your password allows you to access is greater than and ultimately more important than you. This is especially true in corporate terms.
To illustrate, picture two groups of corporate users. Group A is told to choose a strong password and given policy documents highlighting this. Group B is told the same; however, they are also told that should any of their user accounts be compromised, they risk being charged a six-month salary penalty if found to be at fault. Which group do you think is going to put more effort into their password choices?
Users in Group B have a tangible measurement of what a weak password means. It’s linked to something that can negatively impact them, and they will make sure they don’t end up being the one with a weak password. Granted, this example is a bit far-fetched. But how much financial loss have weak passwords caused companies? And who ultimately pays if weak passwords are a prime culprit?
Better user education definitely is needed. People don’t need to know everything a password is, or the horror stories of breached sites. They need to know the importance of their data, and be told repeatedly the value of data and their responsibility in protecting it. Once people understand this, passwords will mean more to them. How many non-technical people know that just one weak user account can allow an attacker access to find a vulnerability that can expose the entire database of user accounts? Explaining the critical importance of corporate or personal data — and that each user is responsible for helping protect it — should prompt a majority of people to think a little differently and more proactively about their role and their choice of passwords to make it more difficult for someone to exploit them.
Now, it’s all good and well that users pick stronger passwords and engage in more security-friendly habits, but all that effort is meaningless if an organization stores the passwords in plain text.
I am constantly amazed by the number of breached websites whose leaks show plain-text passwords. Never mind the shock of a provider that still emails users their forgotten passwords. It should not be remotely acceptable anymore to store passwords in the clear in a database. It also should not be acceptable to hash passwords with “easy-to-crack” hash formats such as MD5. Yet, we still see this happening all the time.
Another problem is vendors that do not allow certain special characters or spaces in passwords. Clearly this is not a database restriction, since the password is going to be hashed before making it in there. It’s bad development that causes application errors (read SQL injection?), so coders just carte blanche block these characters. Yet, such characters can go a long way toward making a password strong and more difficult to crack. Then there’s length. Why is a password only 16 characters maximum? The hash value is going to be far more than that, and the password length has no bearing on the final hash being stored.
The only conclusion seems to be that a lot more focus has to be put on educating people who design and build these systems. Any developer building a site should not even consider using plain-text passwords. Salted, strong hash algorithms should be the de facto policy, not something recommended only after a breach of data.
I have no doubt that we will, unfortunately, continue to see breaches of sites this year, attributed to passwords either in plain text or some easy-to-crack hash algorithm. Let’s try to make 2017 the year every website and app owner, developer or system architect addresses their password policies, procedures and policing. Do away with plain-text passwords; it’s not as difficult as you think. You can hash existing passwords and retrofit your site to support authentication comparison of a hashed user-supplied password against the database one. And if you are hashing passwords, check your algorithm. Is it salted? Is it considered strong? MD5 is useful for comparing file differences and changes; it is not at a viable option for passwords.
Focus on educating users to understand what a password actually is, and what it means. Ask your security architect, consultant or whichever resource handles security in your company to assist you in accomplishing the aforementioned recommendations. Securing sites with proper password storage and management will go a long way toward enhancing our roles and reputations in the coming year.
Finally, one more piece of advice I’ve delivered at conferences, only to meet a few raised eyebrows: have your password database cracked by specialists. The insight you can get by knowing what passwords are weak is invaluable. It will help you understand if your hashing algorithm is up to spec, and if your password rules are being bypassed by system administrators. And, it helps you to plan your policies going forward. Of course such cracking should be anonymous — the goal is not to link passwords to users but to adapt and to become more secure.
Dimitri Fousekis, CISSP, lives and works in Johannesburg, South Africa.
5 Minutes with Sam Goh
Sam Goh is from Singapore, where he is a senior managing consultant with IBM Security Services. He’s been an (ISC)² member for 11 years. An abbreviated version of this Q&A appears in the January/February 2017 edition of InfoSecurity Professional magazine.
What was your profession before you became an information security professional?
I started out as a system analyst for Aspentech, a specialist process optimization company for the oil and gas industry, 20 years ago to implement real-time dashboard technologies for an oil refinery’s 24x7 plant operations center. I also was fortunate enough to be in the Singapore Army for two and a half years (but I can’t talk about what I did). Additionally, I worked in a couple of network operations center roles in SingTel and Primus before getting into information security.
After realizing that was your chosen path, how easy or difficult was it to gain entry?
I suppose information security wasn’t an easy or apparent career option back in the days when security was mainly a glass house protecting the mainframe and applying cryptography for network communications.
In the ’90s, I had a particularly keen interest to know how IT worked (like taking apart hardware and software). I learned how IT could change the future from reading futurist columns from Wired magazine, reading books from writers like Neal Stephenson, newsgroups like alt.2600 (where “hacking” didn’t yet have a bad connotation) and watching CSI. Although my career is nothing like fanciful CSI!
The dot-com bust in the early 2000s didn’t help, but once I realized my personal interest could be a viable career path, I pursued professional competency, got into banking and earned my CISSP. I haven’t had to look back since.
What did you find most difficult about taking an (ISC)² certification examination?
It cost USD$500 back then and was a six-hour exam. I had to pass it the first time, as I couldn’t afford to retake the exam! It was a sizable out-of-pocket sum for me when I was working part-time in the day, and studying in the evening.
What is your favorite test-taking tip?
My advice has always been to trust your first instinct. You either know it, or you don’t — but don’t guess. It is OK to not know everything, but make sure you find out the correct approach to be sure of your understanding. Passing the exam is only the first step, as future clients won’t appreciate if they know you guessed your way up!
How long have you been an (ISC)² chapter president, and what made you take on that leadership role?
It is my first year as Singapore Chapter president, and my fourth stint in the chapter since its inception. I’m one of the original founding 15 who started the chapter and have served as secretary, vice-secretary, co-director and, now, president. It has been great ride so far to work with many great people, some of whom have become my lifelong friends. On this last stint, I really hope to inspire a new batch of volunteers to selflessly contribute to the growth of the chapter, and the security community. It is a great feeling to know more than a dozen people at every security conference that I attend nowadays. It is true that the more you put in, the more you benefit.
What makes conducting IT security in Singapore different from other parts of the world?
Singapore has been a regional hub for a lot of multinational corporations to run their APAC operations. I am in the financial services industry and we deal with more than a dozen regulators, compared to one main regulator in the U.K. or Australia. Singapore is also a conference hub that has a very active professional calendar — our monthly chapter events have to compete for members’ mindshare as they are bombarded with endless invites to conferences, trainings and seminar opportunities.
What is your favorite book that you have read in the past six months, and why is it a favorite?
I had recently re-read Lost Horizon by James Hilton. It is an old book I picked up from one of my hotel stays. I also managed to visit the real Shangri-La in Yunnan, China, as well as the heart of Tibet in the past two years. The Tibetan way of life is so beautiful, both from the outside, and pure from the inside. It is a good escape from reality, or is it real?
What advice do you have for someone in your industry just starting a career in IT security?
Read widely. Build up a network of peers and seniors you can consult with and bounce ideas off of. Always trust your first instinct.
What is your advice for anyone who wishes to retain highly valued employees on their security team? What can they do to keep those employees from leaving their organization?
In the army, we have this saying, “Lead by example and leave no man behind.” People work for people. If you are a manager, lead by example, catch up regularly, and help them to move up the value chain.
What is one must-do tourist adventure for members who are visiting Singapore for the first time?
Come try our hawker food! You haven’t experienced Singapore until you have tried our chili crabs, hokkien mee, chicken rice, and ice kachang. Be sure to finish off with some yummy Cat Mountain durians!