The fact that password security remains a relevant topic is a source of frustration to many cyber professionals, particularly with so many viable alternative authentication methods, such as biometrics, readily available.
“Passwords have become the de facto authentication method for companies to employ as they can be relatively cheap to implement at scale for many users,” Brian Honan, CEO of BH Consulting told Infosecurity.
Therefore, poor password practices still present enormous security risks for organizations, with Verizon’s 2022 Data Breach Investigations Report finding that stolen credentials led to nearly 50% of attacks in 2021.
Confusion For Users
Given the level of risk around password compromise, relevant organizations – including government agencies, independent organizations and large tech providers – have issued various guidance and mandates around password practices to try and ensure users are meeting minimum security standards.
However, this has led to a wide variety of advice being issued. For example, in the UK, the Information Commissioners Office (ICO) advises a minimum of 10 characters in passwords, whereas the National Cyber Security Centre (NCSC) recommends a minimum of eight. Yet tech giant Microsoft asks users to have a 14-character minimum length requirement.
In addition, some authorities, like the ICO and the US National Institute of Standards and Technology (NIST), say special characters should not be mandated, but bodies like HITRUST do have this requirement.
Sarb Sembhi, CTO at Virtually Informed, told Infosecurity, “The advice we’re given has never been consistent and is changed a lot. Some people believe it's one thing and others believe it's something else.”
This has ultimately resulted in confusion for the end user.
Outdated Practices
Research over the past few years has also rejected much previous conventional wisdom around password practices, suggesting that a simpler approach is more effective as it makes users less likely to bypass controls. Forcing users to regularly change their passwords has a detrimental impact on security, one report found.
Jessica Barker, CEO and co-founder of Cygenta, said: “The UK NCSC and NIST changed their guidance to acknowledge that asking people to repeatedly change their passwords actually leads to people using weaker passwords.”
Another approach used by the NCSC to simplify password practices is the three random words recommendation, which it views as more effective than using complex combinations for passwords.
Taking the Pressure Off Users
While bodies like the NCSC and NIST are renewing their approaches to password policies, many organizations are still placing outdated requirements on users. This includes using a mixture of letters, numbers, and special characters to compose passwords, not using words or numbers that can be associated to you and the need to change them regularly.
“One issue that many of our clients face is in terms of compliance with regulations, with different rules and expectations, some of which go against the good practice recommended by the UK NCSC and NIST. This leaves security leaders in a challenging position, knowing that the password policy which they are enforcing is not in line with best practice,” said Barker.
“The advice we’re given has never been consistent and is changed a lot"
Although well-meaning, Honan noted that this orthodox advice often has the opposite effect on cybersecurity: “When you take a logical look at that advise you realize how bad it is and how difficult it actually is to follow. This leads in turn to people to reuse passwords or use variants of a password that they believe to be secure.”
Sembhi believes the obligations such policies place on users is an additional cause of stress, potentially contributing to mental health problems in workers. It is another reason for fundamentally changing the way authentication is approached.
“It's the vendors that need to get it sorted, not the government telling users to get it sorted,” stated Sembhi. “That is fundamentally wrong and there needs to be some sort of standard approach that vendors should be asked to follow.”
Honan agreed, “We need to move the responsibility for system security away from being primarily the responsibility of the user.”
Authentication as a Whole
Both Honan and Sembhi believe there must be a more unified approach to guidance encompass authentication as a whole, primarily aimed at vendors and organizations. In addition to passwords, another key aspect is consistent guidance around the use multi-factor authentication (MFA).
“People are encouraged to ensure they pick a secure and unique password for the various systems and platforms that they use. However, the concern I have is the focus is still on people creating secure passwords with little or no messaging being given on the use of additional resources such as MFA and the use of password managers,” said Honan.
He added this guidance should promote passwordless methods of authentication, helping move away from the current reliance on passwords.
Overall, Honan would like to see a strong emphasis on usability. “We need to provide these solutions in a way that is easy for people to understand and use,” he urged.
Guidance needs to recognize that different forms of authentication are better suited to different types of devices and systems, said Sembhi. For example, biometric authentication works much better on mobile phones than desktop computers, while PINs work well on Microsoft Windows, as long as they’re not saved in the cloud.
He believes the use of flow charts and maps will help provide these insights. “It should be simple because they’re rules we've talked about for years, we've just never put them down on a piece of paper,” commented Sembhi.
Achieving Unification
The path to unified standards around authentication must be industry-led, according to Sembhi. However, he does not believe an ISO standard will be appropriate in this instance “because small organizations won’t be able to comply with it.”
Instead, “it needs to be an open standard that everyone can use and view,” he commented.
What’s key, added Sembhi, is that developers have something to follow to build in authentication approaches into platforms in a uniform way.
“At the moment, the only standard thing everywhere is using a username and password – they’re the only two consistent things,” he noted.
The first stage is to put out a proposal, and then invite discussions among the industry to adapt and refine via conferences and other mediums.
“Until something is on the table, no-one’s going to initiate,” said Sembhi, who said this is an area he is keen to be involved with going forward.
Passwords remain a major security weak point for society as we reach World Password Day 2023. Having multiple recommendations from different organizations on password practices, much of which is outdated, is creating confusion and difficulties for users. A unified approach to authentication more generally, aimed at building best practices into systems by design, will be crucial to stemming rising breaches going forward.