If you use a computer, you probably already know this: Passwords are failing at protecting users.
“Passwords as a security strategy are dead,” said David Maynor, senior director of threat intelligence with Cybrary.
Passwords haven’t worked as a solid security strategy in a long time. Stolen credentials have long been a favorite attack vector for cybercriminals — they can get a lot of mileage out of a single password.
You don’t have to be a malicious actor to see how easy it is to use a password beyond its intended use. Even advice columnists are getting questions about password sharing and the ability to access multiple accounts without permission.
The use of passwords, however, is not the problem. It is the lack of protection around passwords themselves that leave them vulnerable.
The National Institute of Standards and Technology (NIST) created standards for password policy. There are password managers that are supposed to break users of their worst habit—reusing passwords.
But passwords continue to be misused, stolen and abused. The policies are there, so why are passwords security’s weak spot?
The NIST password standard
NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward:
- Check passwords against breached password lists
- Block passwords contained in password dictionaries
- Prevent the use of repetitive or incremental passwords
- Disallow context-specific words as passwords
- Increase the length of passwords
Updates to the NIST framework have gotten rid of two old methods of password management: no more requirements to change passwords on a regular basis, which some believe is counterproductive; and no more complex passwords that must include a mix of upper and lower case letters, numbers, and symbols.
“The NIST password guidelines should be the baseline within the bigger picture of digital identities and authentication lifecycle management,” said Timothy Morris, chief security advisor at Tanium.
NIST frameworks serve as a baseline for overall cybersecurity systems for many organizations. The guidelines have been downloaded more than 1.7 million times and 16 sectors within the critical infrastructure rely on the framework.
Not having to create new, unique passwords every 90 days is a relief, but the NIST guideline to prevent the use of repetitive passwords is still a burden. It’s impossible to remember dozens of different passwords, and users are often discouraged from writing down their passwords.
The solution for many is to use a password manager.
“In a corporate environment, password managers not only enhance security but also optimize productivity,” said Teresa Rothaar, governance, risk, and compliance (GRC) analyst at Keeper Security.
Password managers allow IT administrators to control user password practices and enforce policies.
“Meanwhile, help desk personnel aren’t bogged down with password-reset tickets, and employees aren’t stuck in holding patterns due to lost or forgotten passwords,” Rothaar said.
Password managers are gaining popularity, with 45% of organizations deploying a password management solution, according to a study from LastPass.
While password managers can help security teams enforce policies, they open the organization to potential threats. Password managers are susceptible to the same types of vulnerabilities and risks as any other type of application, and they have been hacked and data compromised.
Just this year, LastPass suffered multiple cyber incidents, with the most recent announced this summer.
Organizations using password manager solutions have to recognize potential vulnerabilities and take steps to protect their users.
“So long as a password manager is zero-knowledge – meaning that even the vendor themselves cannot access the plain-text contents of end-user vaults – there is very little, if any, risk to the company if their password management vendor is breached,” said Rothaar.
End users can also do their part by securing password vaults with strong master passwords and multifactor authentication (MFA), which dramatically reduces the risk of a breach.
Enforcing password policies
Having policies and having password management solutions can go a long way toward building a strong security program—as long as the policies are used and enforced.
However, fewer than half, 44%, of organizations provide their employees with guidance and best practices governing passwords and access management, according to Keeper’s 2022 U.S. Cybersecurity Census Report.
Nearly one-third allow employees to set and manage their own passwords – and admit that employees often share access to passwords.
But organizations are reaching a point of no return with passwords. The NIST framework doesn’t just recommend guidelines for password management, but for a variety of authentication methods, including biometrics and multifactor.
“Time spent on enhancing password-based authentication is a wasted cost; instead, organizations should get out of password schemes as soon as possible and investigate alternatives,” said Maynor.
Its time to recognize that password strategies are artifacts from a time before the world became digitally reliant. Password policies aren’t being enforced, so they aren’t effective in protecting the user.
Organizations should consider moving passwords into the background and look at other options designed to keep users, their identities and their data, more secure.