UPDATE: As if to validate the point made by the experts in the below post, Twitter announced, since this article posted, that all Twitter users will need to reset their passwords. A “bug” somewhere internally was storing user passwords in plain text, without encryption. Twitter says no signs of misuse or breach, but change passwords now! END UPDATE
Today, May 3, 2018, is World Password Day as well as National Day of Prayer. That seems, somehow, ironic. Maybe this is because many of us spend significant time praying that our passwords are strong enough and that they will not get discovered by the bad guys, even that we will be able to remember them when we need them.
Chris Stoneff, Vice President of Security Solutions at Bomgar would likely argue that in addition to praying about our administrative passwords we should do what we can to keep them young and refreshed. In a blog post for Bomgar, Chris writes:
“The Static Administrator Password Problem
How old is the oldest password in your organization? Do you even know?
In my nearly two decades of professional cybersecurity experience, the longest-lived password I’ve personally witnessed was 17 and a half years old. In other words, at the time I saw it, that password dated back to the last century. I found it at a customer site during a discovery process. Until that moment, the customer had no idea this password existed.
It would be bad enough if this had been a typical user account password. But this was an administrative password that granted elevated privileges into a critical system on the customer’s network.
Securing Admin Passwords
Today is Password Day. That seems like a good time to reflect on the security of a certain type of password that many people never think about – administrative passwords.
In the IT world, most systems administrators must deal with managing administrative passwords for privileged accounts. The built-in Windows administrator account is one example of a privileged account.
It’s a security best practice to continuously change these passwords. In some organizations the admin passwords are changed to comply with regulatory mandates like PCI-DSS, HIPAA or GDPR. Sometimes the motivation to change admin passwords occurs when an employee who knows the credentials leaves the company. Regardless, these passwords must be frequently changed for the security of the company and the data the company is required to protect.
Understanding the Privileged Password Security Problem
Unfortunately, not all companies and government agencies proactively secure their administrative passwords. In many of the organizations I’ve seen, the IT group cuts corners by using the same administrator account name and the same basic password on each system. And, in most of these cases, this password has not been changed since the systems were originally deployed.
You may wonder how serious this issue really is. Judge for yourself by answering these questions:
- How many people know your admin passwords?
- Do all those people still work for your organization?
- If some of the people who know your admin passwords no longer work for the company, did they leave amicably?
- Do all your systems share the same admin password?
- Are your admin passwords complex and frequently changing?
Starting at the top of this list, it’s fair to say that the more people who know a secret, the more likely it is that the secret will get out. That’s the problem with setting the same admin password for every system and then sharing this password with the entire IT group. When organizations do this, they eventually start finding machines with various unapproved settings. They also discover regular end-users who know the shared admin password.
When Password Secrets Walk Out the Door
If all those people who know the passwords still work for your company and are happy and dutiful employees, this access risk is slightly mitigated. But you never know when you might have a malicious user to contend with. If any of those employees or contractors left the company on bad terms, you may have a loose, hostile element out there who knows how to break into your network using an otherwise untraceable account. Here is one recent example that tells the story of a former IT employee who logged in to her old company to wreak havoc.
It’s not uncommon. I’ve known people who continued to log in to systems at a previous employer just because they could. It’s mildly amusing that they are pointing out the poor practice of not changing administrative passwords, but it is also frightening to consider the damage they could do if they have malicious intent.
Why Password Age Matters
Password age is relevant because time is really what you are up against when dealing with stolen credentials. The 17-and-a-half-year-old password I mentioned at the start of this article is a particularly egregious example.
A password that isn’t changed frequently gives a bad guy all the time he needs to steal it. And once he has the password, he gains persistent access into all the systems sharing that password, until it’s finally updated. If it ever is.
What this really means is that given the will to steal an administrator password and break into systems throughout a network, all someone really needs is time. But by continuously changing privileged account passwords, you’re denying your adversaries the tools they need to succeed.”
So, while praying that our passwords are kept safe can’t hurt, there is much we can do to ensure our passwords are protected and only the right folks have them.
Others in the security industry will argue that the very fact we feel we need divine help with passwords is just another indication that we shouldn’t be using them at all.
Three prominent experts from VASCO Data Security and NuData Security sound off as follows:
Ryan Wilk, Vice President of Customer Success, NuData Security, a Mastercard Company
“It’s Global Password Day – a time to help organizations move beyond the vulnerabilities of the least-reliable of all the security measures they can take, and adopt a layered defense approach incorporating highly trusted forms of authentication. Passwords are static information that can be easily reused by would-be thieves, and experts advise it’s no longer a question of “if” but of “when” an organization’s or individual’s passwords are going to be stolen… especially now that we’ve entered the age of mega-breaches.”
“Unfortunately, too many people still don’t understand just how unreliable static passwords are as an effective security mechanism. In fact, many continue to reuse their usernames and passwords across many sites, even going so far as to re-use their employee usernames with accounts opened for personal use. As a result, when one account gets hacked, all of their accounts are left vulnerable, along with their employer’s valuable information.”
“The use of passwords to control account access is more a quaint artifact of a simpler era than an effective security measure. Static passwords are easily stolen and re-used, leaving the user and organization vulnerable to account takeovers (ATO) and theft. Fortunately, there’s an effective alternative for validating identities. Users are unique in the ways they interact with their devices and online across web sessions, and passive biometrics and behavioral analytics use that uniqueness to build a digital identity profile that lets organizations ensure the user is who they say – and not a fraudster using a stolen password.”
Michael Magrath, Director, Global Regulations & Standards, VASCO Data Security
“The computer password should not be celebrated, it should be eulogized. In fact, Bill Gates predicted the death of the password back in 2004.
“In today’s world, it is laughable that someone actually came up with World Password Day, given how many people around the globe have been victimized by credentials stolen in data breaches. Verizon’s 2017 Data Breach Investigations Report notes that 81% of hacking-related breaches leveraged either stolen and/or weak passwords
“Organizations relying on a single shared secret to protect sensitive personal identifiable information (PII) has been very lucrative – for hackers. While no security solution is 100% secure, in 2018 organizations not deploying risked based authentication solutions are hoping they can dance between the raindrops, yet most consumer-facing websites today do not offer any alternatives to “User Name, Password” and a narrow set of challenge questions that can often be answered with Facebook searches.
“That may be changing. The FIDO Alliance and the World Wide Web Consortium (W3C) recently announced that FIDO’s Web Authentication (WebAuthn) protocol to the Candidate Recommendation (CR) stage – a precursor to final approval of a web standard. The W3C has invited online services and web app developers to implement WebAuthn, and Google, Microsoft and Mozilla have all pledged support.”
“WebAuthn can also support various biometric log-ins, including face and voice recognition, fingerprints, and iris scanning. It enables users to register non-password biometric or second-device authentication methods with the service, thus replacing the password.
“Passwords will likely be used for eternity in some shape or form, but the computer password as we know it may be on life-support… it’s time has clearly come and gone. #LayerUp
John Gunn, CMO, VASCO Data Security
“Passwords are decades old technology and the enemy of security. They give people a false sense of safety and are almost meaningless in today’s hacking environment. Headlines are filled with the latest data-breach-du-jour but it’s likely that the real rate of data breaches is significantly higher than reported, simply because many companies still lack the forensic capabilities to detect that they have been compromised and that data has been stolen. All of this points to the urgent need for businesses to implement multifactor authentication and a risk-based approach to access management.
“FIDO’s new WebAuthn standard makes it easy to implement risk-based multifactor authentication with biometrics that dial down user friction and greatly increase security. We expect that passwords really will be gone from security-centric organizations and transaction types in the next 2-3 years.”
David Vergara, Director of Security Product Marketing, VASCO Data Security
“If the last year’s mega breaches have taught us anything, it’s that a trusted identity framework for online transactions and interactions is urgently needed, yet totally lacking. W3C’s WebAuthn protocol provides a unified approach that the entire industry can – and should – come together on. #LayerUp!”
You will be hard-pressed to find anyone in the security field advocating for the status quo when it comes to the use of passwords. You may not be in a position to completely do away with passwords in your organization, but until you can, experts agree that you should keep them refreshed and limit who has access to them, and – of course – don’t forget to pray!
Steven Bowcut, CPP, PSP is the Editor and Chief for Brilliance Security Magazine.