- They're easy to steal.
- They're easy to share.
- Most are easy to guess or crack.
- And once they've been compromised, they're not just useless, they can actually be dangerous, if re-used on multiple accounts.
As a result of this inherent weakness, the innovators of the industry have toiled for years to perfect a wide range of multifactor authentication (MFA) and other password-less login options, spurring prognosticators and pitch people to predict the death of the password for at least a decade now. These predictions seem a little less far-fetched today—after all, enterprises are ramping up their MFA investments considerably in 2021.
And yet, passwords still reign as the primary (and often sole) form of authentication in most systems today. According to Forrester analysts, 70% of enterprises are still password-centric. Passwords persist because they're easy to use, they're easy to design logins around, and they're a well-known commodity.
“We need to give more credit to what passwords in the traditional sense do extremely well,” explained Troy Hunt, a well-known security expert and founder of Have I Been Pwned, a site that hosts a database of over 11 billion known-to-have-been-compromised passwords. “The thing that passwords do better than just about everything else is that everyone knows how to use them.”
The point here is to not throw our hands up in despair and give up, but instead to recognize that passwords will be with us for a long while yet, and to employ strategies that can minimize the risks of their inherent insecurities wherever possible.
The following suggestions are seven ways to do just that:
Tip #7 - Screen Passwords for Compromises
There's perhaps no better marker for identifying a weak password than to look for signs that it has been compromised at some point. Known compromised password corpuses like Have I Been Pwned provide an excellent resource to vet passwords as users come up with them and on every login. There are also many tools on the market that leverage APIs from legitimate password repositories to check on the compromise status of passwords in real-time.
Tip #6 - Forget What You Know About Complexity Rules
Security experts used to recommend enforcing very taxing complexity rules for passwords, dictating a specific combination of special characters, upper- and lower-case letters, numbers, and so on. However, research has shown that users tend to game these rules in predictable ways—moving from ‘password’ to something like ‘p4$$word’ or ‘password!’
These rules tend to only aggravate users without raising the bar on security. As a result, standards bodies and experts are moving away from these types of rules. Last year, the National Institute of Standards and Technology (NIST) dumped these complexity requirements from its Digital Identity Guidelines (Special Publication 800-63B), and instead recommended screening and blacklisting passwords for previous breaches, as well as:
- Dictionary words
- Repetitive or sequential characters (aaaaaa or 1234abcd)
- Context-specific words, like the name of the service, the user’s name, and derivatives
Tip #5 - Don't Worry About Periodic Resets
Also contrary to common wisdom, the use of password expiration is growing out of favor as research shows it doesn't really do much for security. NIST suggests avoiding forced periodic resets with the rationale that password verifiers shouldn't make users make arbitrary changes, but it strongly recommends changing passwords if there's evidence of password compromise.
Tip #4 - Make it Easier to Use Lengthy Passphrases
One method of strengthening passwords that NIST and others are fully on board with is simply making passwords longer. NIST guidelines recommend that password requirements be set at a minimum of eight characters. They suggest that organizations strive for longer minimums and also design systems that accept passwords with as many as 64 characters to encourage users to utilize passphrases. Longer passphrases are much harder to crack or guess and do more for raising the cost of these attacks for the bad guys than any other kind of complexity rule.
Tip #3 - Enable MFA When Available
Approximately three in four enterprise risk managers say they plan to invest in more MFA in the coming year. Sometimes the problem isn’t that MFA is unavailable on a particular platform, but that users and administrators are not taking advantage of it when it is already there to supplement passwords.
According to a recent study, a whopping 78% of Microsoft® 365 administrators do not have MFA activated within their environments. One of the best ways that organizations can mitigate the risk of passwords is to start enabling MFA when available.
Tip #2 - Give Users a Password Manager
When MFA is not available, password managers can provide a great middle ground for managing a lot of the risks of passwords used as a sole form of authentication. Password managers automatically create longer passwords with more complex, random strings of characters every time a user starts a new account and yet the user only must remember a single passphrase. NIST does not specifically mandate or demand the use of password managers, but it does endorse and encourage them by suggesting that password verifiers allow pasting of passwords into entry boxes to facilitate password manager use.
Tip #1 - Double Check Practices Around Password Manager Master Passwords
If your organization does enable users to utilize password manager, just be sure the users’ master passwords for the platform are thoroughly hardened. NIST suggests the following:
- Choose a long passphrase for the master password to the password manager and protect it from being stolen by storing it offline rather than on your computer or smartphone.
- Avoid password managers that allow recovery of the master password. Any compromise of the master password through account recovery tools can compromise the entire password vault.
- Use multi-factor authentication for program manager applications that allow that capability.
While the above seven methods are not foolproof, security solutions such as BlackBerry® Persona offer an alternative, leading to a more password-friendly future. BlackBerry Persona uses derived biometrics to establish a user’s authenticity on a particular device and thus won’t keep prompting for a password to be entered.
Learn more about BlackBerry Persona.
Author: Baldeep Dogra Director, Product Marketing at BlackBerry.