Security Awareness Blog

Guest Post - Limits of Password Security Awareness

[Editor's Note: This blog is from Geordie Stewart and is part of a new series where we get insight from other security awareness professionals. Every organization and their security awareness program is different. As such, every organization has a different story to tell and different lessons learned to share. This is one of those stories.]

Security Awareness is a valuable tool in the security toolbox which helps protect information systems through defence in depth. However, like any tool, Security Awareness has its strengths and weaknesses. Our job as security professionals is to understand those strengths and weaknesses so we can advise management on the best way to employ the tools at their disposal. Sometimes, tools can be effective but still not be efficient for the context in which they are being employed. Sure, you could cut down a tree with a chisel but even if you were successful people would still think you were the village idiot because it would have been better to use an axe.

There've been a large number of password database disclosures this year including LinkedIn, Yahoo and Gamigo which have made for interesting analysis. Crazy passwords are still in common use. "Password", "1234" and "QWERTY" are all routine combinations. It's great to have some data to analyse, but what conclusion should we draw? Sure, on one hand, there are some depressingly naive users out there. But what's the answer? Is this just a security awareness problem? Let's pause for thought before we jump to the conclusion that more training is needed.

Surely a bigger question is why on earth are LinkedIn and Yahoo allowing users to have passwords like "1234"? As a general rule, users will use the simplest password they can which meets the rules of the system. Ergo, the system's simplest password needs to provide an adequate level of protection from guessing attempts. Therefore, from an engineering perspective these systems were wrongly designed.

For years we've been focused on complexity and as a result users come up with combinations like "Password1" which meet our complexity rules but don't effectively mitigate our risks. We need to change. We need to stop talking about password complexity and start talking about password commonality. Its password commonality which causes the biggest vulnerability to brute forcing and guessing attempts, not a lack of complexity. Complexity no longer has relevance that it used to since the widespread introduction of controls on password attempts. Consider that a system which limits attempts to 5 per 30 minutes will "only" allow 240 attempts per day. To try all combinations of just a three character alphanumeric password on such a system would take nearly 3 years. Trying all combinations of an alphanumeric four character password would take more than 27,000 years.

Authentication mechanisms are much more likely to be compromised by password database disclosures, password re-use and key-loggers. Potentially, we're doing more harm than good by occupying valuable (and limited) audience attention spans discussing complexity for a marginal return.

Its common on airplanes to have limiters installed which restrict the degree of banking turns that an aircraft can make. Sure, the pilots are fantastically well trained and very risk aware. But the systems they use are still designed to prevent dangerous actions. We should be applying the same principle here.

It seems the blindingly obvious, but why isn't password blacklisting in widespread use? Its not enough to just have complexity rules, we need ways of banning specific common passwords. "YourOrganisationName123" is another common password that should be routinely banned. The big vendors such as Microsoft and Oracle make it very difficult to ban passwords without buying 3rd party products. This needs to change. We need password blacklisting as standard on authentication systems. A good start would be to ban all the known problem combinations from our systems.

Part of knowing and playing to your strengths is acknowledging your weaknesses. As an industry we need to acknowledge that while we can help optimise password security through our communications, we're not always the primary fix. Sometimes it's an engineering problem. Distributing more facts to users isn't always the best ways to fix our security problems. We also need to be ergonomics champions on behalf of our users and push back against shoddy engineering designs. There's no point transferring risks to users if it's then going to cost considerably more to manage. I guess to use my earlier metaphor, user training in this instance to solve the password complexity issue would be the chisel approach — why chip away when you could use an axe on the root of the problem by designing systems to avoid known problem passwords?

While password complexity is a traditional topic, it's no longer of much use to our users and it's time for us to move on. Our communications need to be concentrating on other higher return topics such as phishing and password reuse.

BIO: Geordie Stewart, MSc, CISSP, is the Principle Security Consultant at Risk Intelligence and is a regular speaker and writer on the topic of security awareness. His blog on information security risk communication is available at http://www.risk-intelligence.co.uk/blog. His particular interests are how marketing and safety risk communication can be used to promote more effective approaches to security awareness.

8 Comments

Posted July 31, 2012 at 8:39 AM | Permalink | Reply

bob

there are some depressingly naive users out there"
How do you tell the difference between naive users and junk accounts?

Posted July 31, 2012 at 1:18 PM | Permalink | Reply

Dogan Eskiyoruk

I can't see how your suggestion is like using an axe on the root of the problem. Wouldn't banning all the known problem combinations lead to new problem combinations. I don't know what the exact solution is but if the problem stems from password database disclosures, password re-use and key-loggers, we should try to fix these. Or maybe, better yet, find a replacement to the password concept.

Posted August 1, 2012 at 8:27 AM | Permalink | Reply

Geordie Stewart

@Dogan, Yes you're right ''" if we ban current known problem passwords some users will move on to other problem combinations. In that sense its an arms race just like many other risks in information security. The question is what the most cost effective way is to participate in that arms race. My point is that it makes much more sense to manage common problem combinations through dynamic password blacklists than by traditional mass education.
In every organisation Ive worked in, passwords containing a variation of organisation-name have been a constant problem. I know through, that if reset passwords and train the users some will still then select organisationname1 as their new password. The axe for the root of the problem is just to blacklist all variations of the organisations name.

Posted August 2, 2012 at 11:54 AM | Permalink | Reply

Geordie Stewart

Update: Yet another major password breach caused by re-use, not complexity.
http://www.theregister.co.uk/2012/08/01/dropbox_breach/

Posted August 2, 2012 at 12:06 PM | Permalink | Reply

Sean Pollonais

Geordie,
Great point. Passphrases have been recommended to increase randomness.
The insistence of InfoSec to regularly change passwords is burdensome for users who too often have to come up with a new phrase. I suggest to users to have a common seed for each one which kick starts the process. e.g. my seed might be "myshoesizeis10" which I can chop and change easily.
Technology supports awareness and enforces policy.
Sean

Posted June 20, 2013 at 10:53 AM | Permalink | Reply

Rahul

Security awareness is a valuable tool in the security toolbox which helps protect information systems. I think Regularly change password is a good idea to protect your database. Thanks for your valuable information.

Posted July 17, 2013 at 6:18 AM | Permalink | Reply

Lucky Balaraman

What's wrong with spending around $30 a year for using a password creator/manager program? A breach could cost you several times that amount!
Lucky Balaraman

Posted July 17, 2013 at 1:39 PM | Permalink | Reply

lspitzner

Actually I see nothing wrong with $30 for a password manager. Personally I think it is one of the best investments you can make and I'm a huge fan/supporter of the concept