Last Updated on September 10, 2021
With 65% of user habitually reusing passwords across multiple applications, hackers have a lot of ammunition to shoot at your corporate network. Multi-factor authentication (MFA) certainly helps reduce that risk, but it’s not a silver bullet.
What’s the current state of the art in locking down compromised passwords before hackers can use them against you? And what is the latest password policy wisdom to support that?
To tell you everything you need to know about reducing password-related risk, we asked Josh Amishav-Zlatin, Founder and Technical Director at BreachSense, to join a recent episode of The Virtual CISO Podcast. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
Rotating passwords is passé
Many businesses still require password changes on a periodic basis, with the interval varying by the sensitivity of the data involved. For example, you might require a new Active Directory password every 3 months, but only rotate Salesforce.com passwords every 12 months.
Or you could align your password policy with the latest NIST SP 800-63 Digital Identity Guidelines, and just give password rotation a miss. Why? Because password rotation is proven to no longer be effective in preventing attacks.
This is because hackers now have access to blindingly fast password cracking tech, programmed with hashcat rules to simulate all the tricks that users commonly apply to tart up their time-worn passwords so they can still remember them. You know, adding a number at the end, capitalizing the first or last letter, incrementing a number, adding special characters in the first or last positions… In fact, typical complexity rules don’t add sufficient complexity to protect your applications from brute force password cracking attacks.
Variations on existing passwords don’t work either
“If you still have an eight-character [base] password, with those special characters and uppercase/lowercase, we’re still going to be able to crack that password—especially when we have the hash,” Josh warns.
“When you brute-force password updates, people just increment the last number or increment a number at the beginning,” explains Josh. “But the amount of variation that people add to the passwords when you brute-force password updates is very small, and we can normally predict those.”
Leveraging this same technology, the BreachSense service lets you test different permutations of compromised passwords. This is key because, if variations of a leaked password are in use in your environment, they’re de facto just as dodgy as the original password.
It’s a new world out there
“Password policies should be updated to reflect reality,” advises Josh. “They’re very often not, in which case, from an offensive point of view, we [meaning hackers] can normally take advantage of that—especially if we’ve got visibility into the target’s passwords on other platforms. We can then just take that as the base and play with it until we get one that works.”
The latest password policy recommendations from John and Josh (and NIST) include:
- Enable MFA wherever possible. As OWASP says, “Any MFA is better than no MFA.”
- Long passwords (greater than 12 characters and hopefully closer to 20) are safer because, all things being equal, they take longer to crack.
- Passphrases tend to work better than randomized/auto-generated strings. Do everything possible to thwart easily guessable passwords that users make up on their own.
- Password managers are a huge help for generating and keeping track of all those long, unique passwords.
- Force password changes infrequently, if at all.
- Use a modern hashing algorithm like Argon2id or bcrypt to make it much harder (months or years versus minutes) to crack your passwords if the hashes are made public.
- Consider a monitoring service like BreachSense to alert you to leaked credentials, and to validate that new passwords and their predictable variants are “clean” before putting them into service.
If you’re looking for new solutions to the problem of password-related risk, you’ll find them in this podcast episode with Josh Amishav-Zlatin
Looking for some more great content around password policy? Check out this post: What is BreachSense and Why Do We (as an Org with Password Risk) Care? | Pivot Point Security
Or listen to the podcast episode all the way through: EP#57 – Is Your Business Safe? w/ Josh Amishav-Zlatin | Pivot Point Security