Editor’s note: The following is a guest article from Mike Kosask, senior principal intelligence analyst at LastPass.
When the U.S. Department of the Interior recently conducted an internal investigation into password security, the findings described a situation ripe for exploitation by enterprising cybercriminals:
- No consistent implementation of multifactor authentication.
- Outdated and ineffective password complexity requirements.
- Weak passwords – and yes, half of the most reused passwords at this organization included a variation of the word “password.”
It gets worse.
A team working for the department’s inspector general successfully cracked 18,174 of the agency’s 85,944 active user passwords. That included 288 accounts with elevated privileges as well as 362 accounts belonging to senior U.S. government employees.
To his credit, the department’s inspector general Mark Lee Greenblatt took to the pages of the Washington Post to detail the depth of the challenges his office faces. He also urged decision makers in the public and private spheres to take a hard look at their own organizations. Greenblatt rightly noted that, “employees are no different from most Americans in how they use passwords, so if this problem exists in my department, it could exist across the federal government and in business offices and private homes nationwide.”
The encouraging news is that password security is now a top agenda item and widely viewed as an integral component of an organization’s overall security posture. But that doesn’t always translate into action.
Unfortunately, we’re still battling a disconnect that exists between cyber awareness and implementation of good cybersecurity practices.
Changing the password security conversation
The Interior Department report underscored how easily cybercriminals can crack passwords. Yet too many of us remain prone to the “password123” syndrome simply because, well, we just find it too hard to remember complex passwords.
Yet even the strongest password policy imaginable won’t be enough if it’s not enforced properly.
I spent more than a decade working at the Defense Department, which, as you might assume, requires intricate passwords. But even at one of the most security-conscious organizations in the world, people still take shortcuts.
For example, I was working with an IT partner to create a new account that had a complex password requirement. He advised me to use a simple pattern that, while technically complying with official policy, would nonetheless create a very easy to guess password.
Who knows how many other people he told the same thing, potentially creating numerous identical passwords that, while following the policy, were not unique and could be easily replicated.
This is the reality of our times, but it’s still within our power to change the conversation about password security. There’s a short-term fix as well as a longer-term solution.
- Organizations can start by adopting strong password policies. The NIST Framework offers a good baseline, offering sensible advice, such as avoiding sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”). While some users may argue that’s too onerous, it's a lot less onerous than dealing with a breach. Eliminating unnecessary risk is a prerequisite for securing your network.
- Apply MFA. This adds an extra layer of security to the authentication process by eliminating security risks that come about because of password compromises.
Then it becomes a matter of enforcing guidelines. However, it only takes one account to give a threat actor access. While many good policies were in place, the report notes that enforcement of these policies at the Interior Department was, at best, inconsistent.
As NIST makes clear, adversaries have demonstrated a knack for defeating passwords. The reality is that it's easy to phish for passwords. It's also easy to social engineer for passwords. And it’s easy to find passwords that somebody writes down.
In his Washington Post column, Greenblatt illustrates how his department needs to move away from passwords. He offers the example of passphrases that string together unrelated words totaling more than 16 letters. That’s a step in the right direction.
We can also bolster security with passwordless authentication in the form of passkeys. These are cryptographic key pairs where a private key is stored only on the end-user device while a public key is shared with the relying party website. It’s impossible to access a passkey-protected account without physical access to the end-user device.
Similarly, there is no risk of stolen data if the relying party website is breached since the website only stores the public key.
All these technical changes are welcome but as they roll out we also need to gird ourselves for the long haul. My best hope is for incremental change in the months and years ahead as we foster a culture where it's okay to talk about these issues more openly. I give credit to Greenblatt because he’s helping to spotlight an urgent challenge.
We all make mistakes. But if we hope to stay one step ahead of threat actors, we should also try to learn from them.