“(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses,” they wrote.
And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked “Retired” this past April), said password expiration policies frequently frustrate users, who then, “tend to choose weak passwords and use the same few passwords for many accounts.”
Not surprisingly, attackers are very much aware of these vulnerabilities. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords.
A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory.
MORE: Sample password protection policy
All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago. The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers.
But even with increasing interest and acceptance of those options, Brett McDowell, FIDO’s executive director, has acknowledged that there will be a “long tail” for password use.
And during that long transition, he and others say there are multiple ways to improve security that don’t involve creating a new password every couple of months that is easier to crack than previous ones.
Zach Lanier, director of research at Cylance, cites Apple’s TouchID and Google’s Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, “still around, and they’re likely to be for a bit longer. It’s just that they’re so ‘standard’ for people and enterprises, and have been for so long, that it’s really hard to make them completely disappear.”
In the interim, he said, organizations can improve their password security through a combination of employee training and, “actively testing their authentication mechanisms and auditing users’ passwords – cracking them – whether it’s through internal infosec teams or external firms. In my opinion, it should be both,” he said. “This can give the organization a better idea of where things are broken, from people to technology.”
The users can be brought into this as well, he added, by, “making available the tools to enable, if not force, users to test the strength of their own passwords.”
McDowell agrees that education is, “a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks.” But he said the “shared secret” authentication model is vulnerable to too many forms of attack – not just social engineering – hence the need to eliminate them as soon as possible.
Sign up for CIO Asia eNewsletters.