Brian Honan, Special Advisor to Europol's Cybercrime Centre (EC3)
The growth in cybersecurity continues unabated and we see companies investing more and more in the area. According to Gartner, enterprise cybersecurity spending will rise to $96.3bn in 2018. Much of this spending will be spent on technology solutions to secure corporate systems.
However, all these security solutions have a common weak link: the password. Time and time again we see studies highlighting that most security breaches are due to weak passwords. The Verizon 2017 Data Breach Investigations Report states that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
As security professionals, we run security awareness training programs and we configure our systems to enable people to choose secure passwords. We advise them to pick a password that is not a word related to them, that cannot be found in a dictionary, that contains upper-case and lower-case characters, that has numbers and special characters, and that must be easy to remember yet hard to guess.
What’s more, for every single system, those same people must repeat this exercise so they have a unique password for each. To make a complex task practically impossible, we also tell people not to write their passwords down.
To the average person it can be a daunting task to create, manage and remember all the passwords they need, both for their professional and private lives. So it is no wonder that time and time again we read stories about breaches which resulted from weak passwords, or passwords that have been re-used across different systems.
Each time this happens, many point the finger of blame and shame at the person whose password was compromised and decry their poor password hygiene. However, we as an industry need to share the blame for these breaches. We design our systems to be secure and then undermine this security by relying on people adhering to the near impossible task of managing their passwords.
"To the average person it can be a daunting task to create, manage and remember all the passwords they need"
I have long been a proponent of enabling people to be more secure online by providing them with tools to make their online security easier to manage. One of the key tools that I recommend is the use of a password manager. A password manager is essentially a secure repository where passwords can be stored for the various systems that people use.
A good password manager can also create and update passwords as required, and by integrating with a web browser, can also input the login credentials for each site as it is visited. In effect, with the use of a password manager, the pain of creating, updating and recalling passwords can be alleviated. Enterprise password managers take these features a step further by providing teams the ability to securely share credentials for a system amongst each other.
Many critics of password managers will highlight the risk associated with storing all your passwords in one place. Should the password manager be breached, then all the passwords are now exposed. This indeed is a risk, but one that I believe can be mitigated by employing good enterprise password managers which allow for the use of multi-factor authentication solutions.
In addition, critical systems should also have multi-factor authentication enabled so that even if a password, or passwords, are compromised due to a phishing attack or a breach, then the other methods of authentication should reduce the likelihood of a compromise.
Furthermore, once multi-factor authentication has been enabled on the password manager and key systems and people are trained on how to use the password manager in a secure manner, the above risks can be balanced out by the business benefits of improved password hygiene.
Enterprise password managers can also reduce a key pain point for many organizations which is the time and cost involved in support desks resetting passwords.
Securing systems by passwords is a cost effective way for organizations to control access to those systems. It is a relatively low-cost solution to implement and requires minimal training for those that will use that system.
There are better and more effective identity and access management systems for organizations to employ, such as biometric systems, but these are often more expensive to implement and maintain than passwords. They also require a lot more training for people in their use and often are difficult to get accepted into the workplace.
Until effective identify and access management systems become less costly for organizations to deploy, and until they become easier for people to accept and use, we will have to rely on the use of passwords. Good enterprise password managers can help us secure our passwords and systems for now
Matthew Cunliffe, Technical Consultant, Europoint Communications
I firmly believe that password managers are a good thing. With the explosion of online services, coupled with the innumerable logins required for work in order to access email, SaaS applications, accounts for individual servers, VPNs, FTP and website hosting (to name but a few), it isn’t feasible for you to remember all your passwords.
However, that does not mean that password managers are necessarily perfect. For any large organization, end users’ laptops and PCs are often managed centrally, and locked down to prevent installation of unauthorized software that could pose a legal or security risk. As a result, password management must become part of standard security policy and rolled-out to each machine, where due diligence is paramount.
"Password management must become part of standard security policy and rolled-out to each machine"
There are a myriad of questions you need to consider:
- Is the supplier reputable?
- Do they provide support and regular patching?
- Are they ISO 27001 and ISO 9001 accredited? How does the password manager integrate with the operating system, installed browsers or third-party software?
- Is the data stored locally or in the cloud? If it is stored in the cloud, does the supplier have the ability to decrypt your data?
- Does the country in which the data is stored comply with your legal requirements, such as the EU data protection directive or Privacy Shield?
- Are you able to enforce policies against the application such as password complexity, lockout and erasure?
- Is it licensed through remote authentication, or a local license server?
- Does it need access through firewalls on specific ports to specific URIs or IP addresses?
For an enterprise, providing a sanctioned password manager to every employee requires significant resource, time and cost to ensure that any risks introduced by the software can be mitigated. The argument could be had that having a password manager is far more secure than an employee writing passwords down in a notebook, using the same password for everything, or employing ‘Password123’.
Conversely, it’s generally agreed that using built-in password managers in browsers is not the safest solution. It has been demonstrated that advertisement platforms can retrieve user data using JavaScript to present hidden fields that are then auto-filled by the browser manager. Opera itself was breached, with synchronized passwords being stolen. Neither Google nor Mozilla provide clarity on how your passwords are encrypted within the browser or the cloud.
The alternative, of course, is a third-party tool – but even these are fallible. In March 2016, LastPass issued a security notice, advising users to avoid using their browser plugins whilst a vulnerability that could allow data to be stolen was fixed. A remote code execution bug was found in LastPass a year later.
It is not alone in having severe vulnerabilities: Dashlane, Keeper, 1Password and many others have also been found to have issues involving bookmarklets, cross-side scripting and cross-site request forgery. Research on the Android versions of nine password manager applications also found vulnerabilities allowing data leakage or access to the master password.
That is not to say that you shouldn’t use a password manager: it is far more secure to use one, with a sufficiently robust master password, than to rely on memory or paper alone.
Nonetheless, another issue arises when the employee does not use the password manager in a secure way. I know one example of a senior executive configuring his laptop so that it remained unlocked providing his phone was within Bluetooth range, and frequently walked away from his desk. Any person passing by would have had access to his password manager.
An employee could decide to make use of the cloud functionality to store their passwords. Should they become a ‘disgruntled employee’ (and it does happen) then they would still have access to all of their usernames and passwords via the application, either in a web browser or installed on another computer. Incredibly, a survey in 2014 found that 89% of 400 employees still had access to a previous employer’s accounts.
Put simply, password managers are only ever as good as the enterprise security policy and the master password used to encrypt the database. They are not a universal panacea and must complement existing policies.
"Password managers are only ever as good as the enterprise security policy and the master password used to encrypt the database"
I would still recommend using a password manager, both personally and at the enterprise level. However, organizations need to be particularly wary of the pitfalls inherent in these, and apply appropriate risk mitigation.
Desktop-based applications should be preferred over web-based applications in order to mitigate code injection attacks. Policies must be enforced to prevent storage of password data in the cloud, and where possible, firewall rules implemented to prevent the application accessing the internet.
The application should be locked down (if possible) to prevent export of data. Password complexity should also be enforced: I would recommend at least 12 characters that include alphanumerics and symbols, with the master passphrase being at least 15 characters in length. If you have the option to implement two-factor authentication on critical systems, use it. Finally, employee exit policies that disable user access immediately on employment termination must be implemented.