Strategy Day 9 Combat the Password Crisis
With over 80% of hacking-related breaches linked to weak, reused or stolen passwords*1, user credentials are emerging as the top vulnerability for businesses. Balance convenience and security by monitoring the dark web for exposed credentials, implementing multi-factor authentication, and streamlining control of password management.
While many think passwords are outdated the fact remains that most businesses rely on passwords to authenticate to their networks. But there is hope. While i personally do not see the use of passwords for authentication going away any time in the near future I always advise that you implement Multi-Factor Authentication or MFA.
The current trend of moving away from password requirements was something picked up because of the NIST guidelines stating that making users change their passwords at regular intervals contributes to heightened risk of breach. NIST states ‘Passwords should be changed ONLY when evidence of a breach is seen.’ Not really sure how or why this posture has been taken but it is possibly because users don’t like to change passwords. Enforcing PW change policies may make users write the password down in order to remember it.
With the use of PW Vaults and MFA I feel the NIST guideline is misleading and not really helping in any way. I have also read that at least one so called expert advises against the practice of forced PW change intervals and repeat use policies because it increases risk because for some reason he believes that the old passwords would be in a plain text file on the server. This is just plain dumb coming from an Expert. He should know at least the basics of how passwords are supposed to be stored.
Any best practice regarding passwords will state that the passwords are NEVER to be stored in ANY file as plain readable text. They should be salted and hashed. Salting is adding extra characters to the password before hashing. Smart use of salting would to be use a unique salt to each users password. It is really easier to do than you may think.
Hashing is the process of running a string of characters, a salted PW, through a mathematical algorithm to produce a unique new string. This is different from encrypting as hashing is NOT reversible where encryption is.
The new user chosen password with the salt added is hashed and then the hash is checked against previously recorded/stored salted hashes. If it matches then it will reject the password and the user will be forced to choose another. This fear of passwords being compromised by finding and using a plain text file should be the least of your concerns because it should not happen. It should not happen because data, at rest OR in transit, should always be encrypted, never world readable. So in fact this would mean that not only is the file of stored data encrypted but is also only hashes not plain text.
Sorry about that rant but I just want to make it clear that stored passwords generally won’t be your problem. If the PW file is plain text and is stolen then you have already been victimized. Strong PW policies, the use of PW Vaults and MFA is the proper way to go.
Regardless of your opinions or mine, the basics MUST be implemented. This includes Enforcement of a Password Policy, User Training, Multi-Factor Authentication and Continuous Monitoring of internal assets and external sources such as Dark Web Monitoring.
Find out how you can overcome the password crisis in your business.
Request a Dark Web Scan to find out what credentials for your business are for sale