We’ve recently written a number of posts about the role that passwords and strong authentication methods play in security. Locking down logins and implementing access controls has long been a cornerstone of information security. Most information security professional understand the factors that make passwords strong. For a quick refresher, check out our recent post on the subject. In short, a strong password is typically very long; includes numbers, mixed case, and special characters; includes no words or discernible patterns and is definitely not your pet’s name. You should also never reuse the password or use the same password across multiple systems.
Password generators are built into a number of endpoint protection solutions these days and many password managers, like KeePass, also offer to generate random passwords that meet various length and character requirements. This makes generating secure passwords relatively easy.
However, remembering these lengthy, purely random passwords -- especially across maybe a half dozen sites a typical employee may use on a daily basis -- is very difficult for most users. Compounding that pain, password policies often require users change passwords at regularly intervals, most commonly every 30 or 90 days. Requiring frequent password changes has, historically, been considered a security best practice.
However, a recently voiced opinion from the FTC chief technologist, Lorrie Cranor, defies the conventional wisdom that frequent password changes increase security. She contends, in fact, that frequent password changes are actually detrimental to security. Research she cites shows that, when forced to change complex passwords regularly, many users resort to a system of creating new passwords based on old passwords, a process called a ‘transformation.’ Perhaps they add a character to the end or cycle through digits within the password. What this means is that these passwords, which were intended to be complex, random, and difficult to guess, are now increasing in predictability. Given the ability to see a history of hashed passwords, attackers have a strong likelihood of deciphering the password using an offline, brute-force attack.
Keep in mind, however, that password security policies and practices are only one part of an effective security program. Even when secure password policies are enforced, it remains important to take other steps to monitor the devices on your network and the network traffic, looking for anomalous patterns that may signal a security incident. The faster that potential incidents can be identified, the faster that remediation can take place and the potential damage can be mitigated.
Think about this for a moment. The logic behind the requirement to change passwords frequently is an assumption that hackers may already be in the network and have already compromised the login, but not yet have been detected. Therefore, attackers will get a maximum of 30 or 90 days of access before the user changes their password and attackers are locked out again. Now, if we’re making an assumption that logins have already been compromised, it would follow that it is absolutely imperative to implement security monitoring to uncover what these presumably compromised accounts are doing and uncover if there is malicious activity occurring so that it might be mitigated before too much damage occurs.
If your organization could use help gaining 24x7x365 security monitoring to improve your security posture, consider managed security services from EiQ. More and more, organizations that were previously understaffed, underbudgeted, and overwhelmed are finding that EiQ’s hybrid security as a service that combines the best people, process, and technology is a welcome change from going it alone. EiQ is transforming how mid-market organizations build enterprise-class security programs. Acting as an extension of our customers’ IT teams, EiQ’s SOCVue provides continuous security operations based on best-of-breed technology at a fraction of the cost of alternative solutions. EiQ is a trusted advisor to organizations that need to improve their IT security and compliance posture by protecting their infrastructure against cyber threats and vulnerabilities. To learn more, please request a demo today.