Bill Gates famously predicted the death of the password at the RSA Security Conference in 2004. Since then, many thousands of others have piled on. And despite all these claims of the imminent extinction of the password, rather than being relegated to the wastebin of antiquated IT practices, passwords seem no less relevant in 2020 today than in 2004.
While a password remains an important first stage in any authentication process, what has changed is that a password today is less likely to be used as the sole security mechanism.
This past July, the Center for Internet Security (CIS) published a Password Policy Guide. This document is packed with advice, backed by solid research, on how to approach passwords in your environment. One of the really interesting parts of the CIS document is the section, How Important is a User’s Password?
In this blog we will assess common password attack vectors, calculate some password cracking probabilities, and unpack key guidance from CIS and NIST on password security, and discuss the different implications in protecting human versus machine passwords.
What You Should Know about Password Attacks
When evaluating the data on the various password exploits, it’s clear that the vast majority involve the hacker obtaining the entire password. Once someone obtains your whole password, the complexity of the password is irrelevant.
However, password complexity is only important with regards to guessing attacks. Guessing attacks involve the attacker working through possible variants of passwords in one of two ways:
- Online - directly with the system they are trying to hack – not just on the Internet
- Offline - usually with the database of user accounts and passwords
Leveraging tools that specialize in high-volume, complex mathematics, such as graphics processors, guessing attacks are increasingly more effective at cracking passwords. Rigs intended for mining new cryptocurrencies also serve as brilliant password cracking tools.
CIS indicates that these cryptocurrency/password-cracking rigs can easily achieve 100 billion tests per second. CIS also suggests that well-funded attackers, perhaps Nation States, could reach 100 or 1000 times that rate. While that seems like a scary capability for any attacker to have, keep in mind that performing 100 billion tests per second would still mean it takes the attacker roughly 20 years to test every possible combination in a 10-character password. Statistically you’d expect an average of half that number to break a password (so, a mere 10 years), but don’t take that as an excuse to use ‘aaaaaaaaaa’ as a password--that’s likely to be the first test!
How Password Policies can be Undermined by their Unintended Consequences
For years, we’ve asked our users (employees, vendors, customers, etc.) to choose complex passwords. We’ve frequently required them to have a capital letter, a symbol, and a number in their password.
How many times do you think these password creation instructions have resulted in a capital letter at the start and the symbol and number at the end? After all, we are working with people. In trying to make the passwords memorable to themselves, humans fall into predictable habits, and these habits translate into password patterns that are more easily guessed.
NIST suggests that users select 4-5 random words, then create a simple story to help remember those words. Passphrases are another approach, but tend to lead to the initial capitalized letter and the symbol at the end, where those characters are required. While both of these approaches do lead to longer passwords, they tend to be significantly less complex than random passwords of similar length.
Comparing Word-based Versus Character-based Passwords
There are approximately 96 easily typed characters that may be used in a password. Some systems do not permit all those characters in passwords, but for the sake of our example, we’ll go with 96.
A password composed of 5 random words, without spaces, is likely to yield around 20-25 characters. Most adults know between 20,000 to 35,000 words in their native language, but only use around 7,000 per day.
We can work out the number of possible passwords easily by calculating the number of possible words raised to the power of the number of words in our password. In this case, that’s 7000^5, which equals 16,807,000,000,000,000,000 possible combinations to check!
As already mentioned, 5 words would result in around 20-25 characters (based on average word length in English)—let’s go with 20 characters for a random password. We use the same formula, number of possible characters to the power of the number of characters in our password: 96^20, or 4,420,024,338,794,077,316,988,270,789,431,736,139,776 possible combinations!
You can immediately see that the possible random character passwords are massively larger than the random words, and the same is true for passphrases. For those interested, it’s around two hundred and sixty-two quintillion times more combinations using random characters (262,987,108,870,951,229,665). Even using 1,000 crypto mining rigs, it could take 100 million times the age of the universe to crack.
Passphrases and the NIST guidance will lead to better passwords than just letting people loose with the length and complexity requirements. This is where password managers become so valuable. Password management tools can generate random passwords, and also eliminate the need for users to remember them.
Passwords are not the compete answer for secure authentication. Most passwords that fall into the wrong hands aren’t discovered via brute force attacks. Rather, the passwords are already known since they’ve been reused across many systems and have been compromised elsewhere. A Google survey release last year found that 65% of people use the same passwords across multiple accounts, with 13% of them using the same password across all accounts!
Often, password re-use traverses both work and personal accounts. The typical user may engage in riskier activities on their personal device, while also lacking enterprise-grade endpoint security and other protections. If they’re re-using their passwords across personal and work accounts, they can potentially provide attackers with an easy pathway into the enterprise.
How MFA Boosts Secure Authentication
To increase password security, we need to layer on additional types of authentication, starting with multi-factor authentication (MFA).
MFA involves using three types of things that a person can present to prove who they are:
- Something they know
- Something they have
- Something they are
Commonly these are:
- Mobile phone, hardware token, smart card
- Biometrics - iris, fingerprint, face
When we add one or more of these “things” together, it becomes dramatically harder for a hacker to gain access to the system. Knowing someone’s password, or even managing to guess it (assuming that system controls prevent you just trying password after password), doesn’t get you their ‘something they have’ or their ‘something they are’. The systems behind each of these “things” have flaws, but when these “things” are combined together, they are virtually uncrackable. This is the authentication security multiplier benefit MFA brings to the equation.
Password Best Practices
The CIS Password Policy Guide does a great job in explaining MFA and highlighting its benefits for your organization. CIS even suggests that an 8-character password is enough when you have MFA in place. So, while the password is not dead, it’s not the sole authentication mechanism that it once was.
While 8-character password combined with MFA may suffice for individual human accounts, when computers are authenticating to other computers, or accounts are shared between individuals, life is complicated by MFA.
With shared accounts, any additional factors for authentication need to either be either:
A. Replicated across multiple people (i.e., a token that generates the same code for everyone at the same time), or
B. A system that allows multiple biometric inputs (at least one per person sharing the account)
That’s a lot to manage. It also equates to a reduction in the security of each of the factors involved – it only takes 1 of X tokens to be dropped. This may not cause an alert as quickly as a single token being lost, or leads to greater chance of a biometric being accepted when there are many more faces, irises, or fingerprints that need to be matched.
Where machines are involved, we may only have passwords to rely on as the sole factor for authentication. Again, I’ll leave it to the reader to work through why the other factors aren’t applicable.
In these scenarios involving shared accounts or machines, we want to have complex passwords (as hackers are more likely to want to brute force these accounts). For added security, we also want to avoid revealing those passwords to the end users.
Privileged password management solutions, like BeyondTrust’s Password Safe, combine the best practices for individual account security with secure access to highly privileged accounts to ensure shared account access is safe. Password Safe also provides a RESTful API to allow applications and systems to retrieve the complex passwords they need, when they need them, obviating the need to store the passwords within the applications or systems.
Password Safe can also change the password (called password rotation) every time the account has been used and/or periodically, regardless of whether or not the account has been used. Frequent rotation helps mitigate, or altogether prevent, the threat of password re-use exploits.
When you don’t need to type in the password, there’s no reason to have less than the maximum length and maximum complexity passwords, which, in Active Directory, is 256 characters long, or 96^256 using the formula from above. That yields quite a few variations:
2,893,581,093,653,115,164,161,933,786,472,865,307,054,850,041,555,834,807,355,298,357,642,001,423,684,509,786,184,682,298,590,635,716,509,504,238,070,459,087,259,590,817,323,666,539,508,810,439,967,185,702,245,033,781,585,657,410,029,342,566,710,267,132,793,508,977,853,052,011,101,184,140,289,457,212,117,185,180,173,761,609,884,498,478,888,471,718,658,247,296,255,463,743,905,631,817,450,244,636,975,035,278,666,832,015,000,463,901,835,813,563,758,653,390,341,071,714,156,276,249,876,315,300,734,154,815,463,209,135,058,113,530,000,241,578,181,162,922,756,470,061,142,398,947,545,341,305,520,436,069,696,846,657,264,445,648,545,131,545,392,904,495,641,540,294,844,346,269,696 - to be precise!
Steps to Protect Your Human & Machine Passwords
While password complexity may not play a part in many of the attacks than happen today, if we all use different, random, relatively long (12+ characters) passwords for every system we use, we will make it exponentially more challenging, and unlikely, for the hackers to win. Password Managers and Privileged Password and Session Management Solutions play an essential role here. If we also use MFA, wherever possible, for individual accounts (and many Personal Password Managers can help there too!), then we could just win this battle.
Like all security systems, password security is all about layers of protecting and not relying on just one thing to keep us safe. That said, we need to start somewhere. and the CIS Password Policy Guide is a great start for passwords for people. For guidance on securing privileged passwords for humans and machines (applications, RPA, etc.) check these resources:
Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.