Bad Passwords and What We Can Do About Them

Lists of the worst passwords are like a lot of tired franchise movies–they appear regularly and they’re pretty much the same story. Minor variations of the passwords “123456” and “password” always top the list, along with “qwerty” and the occasional topical term. For example, the password “dragon” has shown up in recent years, and the password “starwars”–though notably not in that tired franchise category–made a late surge this year.

Password manager company, Dashlane, has added a twist with its list of the “Worst Password Offenders” of 2017, naming high-profile people and organizations that fell into the bad-password trap. President Trump was deemed the worst offender, primarily because of simple passwords reportedly used by cabinet members and policy directors. Outside parties were also the culprits for the Department of Defense, specifically for its contractor, Booz Allen, as well as the Republican Party (stemming from a careless data analytics firm). Paul Manafort, for using “Bond007” as a password, and Sean Spicer, for apparently tweeting his passwords, also came in for scorn.

The point behind these lists is to raise awareness on cybersecurity, encourage people to learn about and use good password practices, and, of course, to get people to use password managers offered by the companies that make the lists.

On the bright side, there is the long-shot possibility that at some point in the future these lists won’t be necessary because passwords no longer will be necessary. The Federal government has made inroads into using biometrics–fingerprints or iris scans, for instance–along with security tokens for access control, and on the smartphone front, Apple and Samsung have been promoting face recognition and iris scanning for access. Biometrics have mostly been used as a secondary authentication technique, in addition to passwords, and security experts also have doubts about biometrics’ infallibility in determining that you are you.

Testers have fooled both Apple’s and Samsung’s systems, so it’s practical to assume that for the foreseeable future, passwords will be with us, and that best password practices are still worth pursuing.

The National Institute of Standards and Technologies (NIST), which has released password guidelines before, has just released new Digital Security Guidelines for Authentication and Lifecycle Management (Special Publication 800-63B). The document goes into great detail on authenticator levels and requirements for cryptographic devices and software to help agencies establish a secure infrastructure. The guidelines also offer advice on protocols that can help defend against incursions such as phishing attacks.

On the subject of passwords, NIST offers some tried-and-true (if often ignored) advice, such as cautioning against password that are written down on paper or stored in an electronic file that can be copied. NIST also recommends some new approaches that could make passwords more secure, some of which could make users happier. “Organizations need to be cognizant of the overall implications of their stakeholders’ entire digital authentication ecosystem,” the document states, by way of suggesting that organizations could make life easier. “Users often employ one or more authenticator, each for a different RP [relying party]. They then struggle to remember passwords, to recall which authenticator goes with which RP, and to carry multiple physical authentication devices.”

For instance, it proposes getting rid of periodic changes to passwords, a practice that not only inconveniences users but results in them writing down the new passwords, and hasn’t been shown to improve security. Likewise, organizations could eliminate the requirement for combinations of uppercase, lowercase, numbers, or special characters, which can make passwords needlessly complex and hard to remember for users. As security company Trustwave pointed out, a basic requirement of at least one upper-case letter and a number can result on “Password1” meeting the same standards as “X$nc*(24,”–and neither is as secure as a longer passphrase such as “ThisIsMyPasswordNoReallyItIs.”

“Symantec recommends combating bad passwords by implementing multi-factor authentication technology and managing access points to cut off intruders,” Chris Townsend, Federal vice president at Symantec, told MeriTalk.  “Most surprisingly, an analysis of the passwords used on IoT devices found that default user names and passwords of these devices are often never changed. Symantec broke down the list of top 10 passwords used to attempt to login to their honeypot were “admin,” “root,” and a flurry of others, its 2017 Internet Security Threat Report found.”

Bill Rucker, Trustwave’s president of Government Solutions emphasizes that his team’s analysis of recent cyber-incidences concludes weak passwords remain a significant contributor to compromise.

“We are seeing cybercriminals constantly developing new tools or modifying techniques to circumvent defenses put in place to prevent brute force attacks,” Rucker said. “These techniques employ automation and can quickly comb through millions of common password combinations against single or multiple targets. Weak passwords in today’s climate is a serious yet preventable vulnerability for all organizations.”

Another important recommendation that could go a long way toward eliminating bad passwords is screening password entries against those listed in cybercriminal dictionaries, and forbidding those that are on the list, which could take “Passw0rd,” out of the running.

Despite the promise of other authentication methods, passwords won’t disappear anytime soon. But they don’t have to be lame, and dealing with them doesn’t have to be as difficult as it has been. Maybe it’s as easy as “123456.”

Recent