**SARCASM ALERT** Username and passwords are ohhh so fantastic, I hope they hang around for a long time. Well with the slow adoption of alternative choices like passwordless authentication, I thought today might be a good chance to take you all through password security, some of the limitations and some of the options we have for securing our own personal lives as well as good knowledge for any current or future businesses you may work at.
Despite the well-known limitations and risks associated with password authentication it will not be disappearing any time soon, it will continue being the primary line of defence to protect our accounts. As long as passwords exist there will be bad guys out there that are determined to make life hard.
In my career I have regularly seen staff use their same business account details for a number of personal websites and if you see it on their business accounts, you can guarantee they are using that same password for majority of their personal accounts. The potential weakness of websites outside yours or your businesses control allows attackers to hack these websites to obtain a legitimate set of credentials. They can then use these credentials to get to something you actually care about like your bank, considering a lot of banks do not enforce multi-factor authentication for new logins.
The advice from here on is not only pertinent to you as a security professional, but applies to you as an individual. Lets take a more proactive approach to credential management!
Proactive compromised credential monitoring: Out there in the wild sits data dumps that contain compromised passwords, usernames and other credentials that are available for public consumption or on sale for the bad guys to purchase. By monitoring public dumps and credentials that are being sold within illegal online communities, companies can begin to understand their exposure and begin to take informed next steps. To do this at home you can access websites like "have i been pwnd" to find out what data breaches your own accounts have been in and what has been stolen. It also allows you to check your password against known compromised passwords!
Use a password manager: This seems to come up time and time again but password managers are still the most effective and efficient method for managing personal and business related passwords. It relieves the burden of remembering passwords from you and instead allows the creation of unique and truly unmemorable passwords isntead. For this reason, it one of the main fights against credential theft and exploitation. Please. Pretty please. Just make sure that you use a nice strong password to secure the vault! With a cherry on top. Please.
Know when to reset passwords: Forcing people to regularly reset passwords has been one of those things we, as security professionals, have always been told is critical and told that it increases security. However studies prove that it does the opposite and actually encourages users to be lazy. Instead of choosing to change the whole password they instead choose to change a number or letter. If there is no reason to believe that a password has been compromised then there is no reason change your password, unless you are just feeling a change. Organisations such as National Institute of Standards and Technologies (NIST) publication 800-63B, have even changed their compliance requirements to encourage this new behaviour.
Multi-Factor Authentication (MFA): There will never be a time where you read about passwords and do not see “implement MFA” in the same point. MFA gives an extra line of defence to any password compromise and can minimise or even in some cases negate the impact of stolen credentials. Obviously if your password has been compromised then change it, even if you have MFA enabled.
Complexity and uniqueness standards: Complexity standards were long thought to be the bees knees, but as mentioned before, unless using a password manager, it can lead to sloppy passwords that actually lack in complexity even though it meets the complexity policy. Standards organisations such as NIST in their 800-63B publication have changed how they believe passwords should be set to prevent sloppy passwords, they have stripped complexity in favour of password length. Truly complex passwords should be generated and stored all using a password manager. If you need to create a password then use a nice long phrase such as "PeachpieisjustasgoodasApplepie". Just remember that if the password you just created has already been involved in a past data breach, then it is already compromised which goes back to point 1, CHANGE IT.
Implementing all of these steps is not going to make you impenetrable or resistible to having your credentials compromised. These are however great steps that will make help make your online life more robust and protected then others that do not employ these methods. Stay safe out there everyone!
