Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.
While companies like Facebook are working on solutions to password recovery, a more salient question is, “Why do people need to recover their passwords so often in the first place?” The answer, as you might expect, is due to the failure of human memory. Today, users are being inundated with increasingly complex password requirements for both individual and enterprise accounts. The average user, according to an online survey conducted by BuzzFeed last year, has 26 unique online identities (consisting of a user name and password combination). Even if we could create a unique, easy-to-remember password for each of those identities – free from mandatory obfuscation and complexity – we would still likely forget quite a few passwords every year.
So, how do we get out from under the thumb of password pain? Here are a few solutions:
- Use a Password Manager, and Change Your Passwords Frequently. It’s perfectly understandable today to have relatively complex passwords. After all, many sites require some degree of password complexity to ensure that you’re not “that guy” who decides to use “12345” or your own name or email address as your password. This can lead to some passwords that are difficult to remember – did you use a capital “R” or a lower-case “r” for the first character? Did you use “leetspeak” of the number “3” to represent “e,” or the “@” symbol to represent the letter “a”? Of course, these password complexities are not always the fault of the user – many sites require ridiculously complex passwords (“9 characters minimum, must start with a number, must have at least two non-alphabetic characters…” You know the drill). In these cases, this leads to #2 below, but we’ll get to that in a second.
If you’re not using separate, completely unique passwords for each authentication app or website you use, maximizing their length and complexity, and changing them frequently (at least once a month), then you’re less secure than you should be. But as human beings, we can’t remember (or at least, the vast majority of us without a photographic memory can’t remember) one such password, let alone dozens of them. The solution to that problem is a password manager. Password managers solve the problem of multiple, complex, and frequently-changed passwords by giving you access to all of your passwords in one place, accessed through a single, complex password (and preferably with an additional authentication factor). These tools take many forms, from desktop and mobile apps like Dashlane and Keeper, to web-based solutions such as Lastpass and Zoho Vault. They all have one thing in common: they allow you to generate passwords with maximum complexity for applications and websites, and store them in a highly-encrypted repository (either local or in the cloud) where you can access them at any time. Most importantly, they give you the convenience of generating new passwords periodically, without the need to remember them. Trust me on this: if you’re not using a password manager today, get one (many are completely free), use it, and start regularly changing your passwords.
- If You are Responsible for Password Policy in Your Organization, Have Pragmatic Policies and Trust… But Verify. When conducting a physical security assessment for a client a number of years ago, we looked at how well employees were meeting the “clean desk policy,” which required users to not maintain any sensitive information on their desks when they weren’t present. It only took a few minutes to figure out that, while people weren’t keeping their passwords stuck to their monitors, they were indeed keeping track of them in journals inside their desk, and in digital text files on their PC desktops. The fact is, when you make a password policy too complex – especially institutional passwords, such as for network and VPN authentication – you’re actually being counterproductive. Institutional users are generally going to follow the path of least resistance, and that means that they’re often going to write down those complex mandatory passwords to make their lives easier.
Fortunately, it doesn’t have to be this way. If your security policy allows for less complex passwords (at least in terms of upper-lower case and the use of non-alphabetical characters) while simultaneously requiring longer passwords, you’ll encourage your users to start using passphrases that are easy to remember, and yet still relatively difficult to guess or crack. Couple with more frequent password changes and the use of multifactor authentication (see #3 below), it’s likely that your organization will dramatically reduce the number users who are relying on “helpful hints” to store their passwords, and you will improve password security at the same time.
Finally, for password repositories that you control (for example, Active Directory and LDAP), periodically conduct password strength assessments to determine whether users are employing good passwords. This can be done with on-premises solutions, although if you’re auditing large numbers of passwords I highly recommend using cloud-based GPU-accelerated IaaS infrastructure from vendors like AWS and Azure that can scale quickly and take advantage of massive parallel GPU processing to make much faster work of this type of task.
- Multi-Factor Authentication Is Your Friend. Ultimately, passwords are exactly that: a single point of access into sensitive data. For some types of information, such as banking, investment and healthcare data access, both individuals and companies should already be using some form of multi-factor authentication, even if it’s something prone to attack such as SMS phone-based verification. But if you’re not using multi-factor authentication today everywhere that it’s available – social media accounts, network logon, and more – then you’re missing out on an opportunity to make your systems and data more secure.
Twenty years ago, passwords were considered the safe way to ensure confidentiality on computer systems. Today, however, the realities of successful attacks on password credentials require both individuals and organizations to rethink their password and authentication strategies.