Today is “change your password day” again. A well-intentioned
initiative for more IT security. Coming originally from the military context of the 1960s, the recommendation to change your password regularly can still be found in many corporate policies today. Modern guidelines such as the current BSI Basic Protection Compendium and the NIST Digital Identities Guidelines drop this requirement because there are more effective strategies to increase password security:
Password length over complexity
First of all, a strong password needs to be changed only if there is a suspicion that it has been revealed.
Today, attackers can try out billions of passwords within a very short time using automated systems. Especially if these systems are accessible via the network or have access to the password hashes and can therefore be effectively tried offline. The complexity of the password is therefore completely irrelevant if it is too short. Recommendations for length vary from 8 to at least 14 characters. Advances in attack tools such as Hashcat, and faster, specialized password-guessing hardware, are driving these requirements ever higher.
Compliance policies today require individualized login credentials. This eliminates the risk a password is known to many people and thus the need to change it regularly. One long password for exactly one person for exactly one service. Pretty secure.
Passwords are no repeat parts
To be honest, haven’t you ever used the same or a very similar password for multiple services? You should get rid of this habit quickly because a successful attack on one service automatically leads to a successful attack on others. The use of already privately used passwords in a corporate environment is particularly critical.
Modern password policies ensure that passwords appearing in lists of captured passwords are rejected. The website haveibeenpwand, for example, indicates whether a password has been captured. Modern systems offer interfaces to check passwords in this way. In CONTACT Elements you can easily activate them:
from cdb.sig import connect
from cdb.authentication import check_pwned_password
Password manager instead of one-size-fits-all
Password repeating is bad, and so are short passwords. Users face the challenge of remembering a large number of long passwords in their heads. Writing it down on a piece of paper and hiding it under the keyboard or sticking it on the bulletin board is not a solution, because a camera can capture it.
It is better to use a password manager. It can create and manage long passwords and makes them easier to enter via copy and paste. Unfortunately, some companies, driven by the concern that a Trojan will intercept the passwords on the clipboard, block the copy and paste method in their applications, preventing the use of a password manager. However, in the case of a Trojan attack, this measure is usually ineffective and companies should instruct users to use a password manager to increase their IT security.
Beware of highwaymen and tricksters
Even the strongest password does not protect against attacks if it is intercepted. It’s often surprisingly easy to do. Connections without a minimum level of security like Transport Layer Security (TLS) are an open book for any attacker. Older network protocols such as Kerberos also offer numerous gateways. Ransomware exploits these to spread across the corporate network. As soon as an administrator logs on to a compromised computer, the attacker has the credentials, and shortly thereafter gold and silver tickets are created and the Windows domain is firmly in the attacker’s hands.
Here, too, security stands or falls with the password, because it is used in the calculation of the authentication tickets and, due to the symmetrical encryption, enables the attacker to calculate the password back from the ticket.
Increase security through multiple factors
One recommendation to get around the weaknesses of passwords is to include other factors. This works very well from a security perspective. A second factor significantly increases security in almost every case. In most cases, it is of secondary importance whether these are one-time passwords such as TANs via SMS, time-based codes such as Definition Time-based One-time Password (TOTP), or even simple confirmation emails with links.
The downside of second factors is the additional effort and the impact on usability. Helpdesk processes become more complicated, users need to be trained, and login processes often happen more slowly.
Single sign-on – both a curse and a blessing
Users love single sign-on (SSO), where you only have to enter a password and a second factor once to use numerous services. This minimizes the effort enormously – but also for the attacker. Particularly if access depends on a weak password only. A central login system also solves many problems for compliance when users are blocked or reports are generated. The costs for user administration are also reduced.
Single sign-on turns the “one password per service” argument above on its head. Again, only one password stands between the attacker and your system. If the attacker knows the password, he has access. And then the single sign-on system opens all doors for the attacker.
Even stronger mechanisms such as TOTP or hardware key generators do not protect if the password and access code are entered on a fake website. This practice is known as phishing. The solution, on the other hand, is channel or token binding and links (binds) the desired access to the channel through which the access is requested. This means that a token is only accepted for access to device A but not to device B of the attacker. This form of multi-factor authentication is very secure and easy to use with modern hardware or cell phones. For enterprise IT, integration with common platforms is relevant here. Windows Hello, Apple and Android support the FIDO2 / WebAuthn standard specified by the FIDO Alliance to detect phishing and make single sign-on secure.
Passwords are obsolete!?
Starting from the WebAuthn standard, there is a new initiative since 2022 with passkeys – driven by Apple, Microsoft and Google – to banish passwords from applications and single sign-on. You can change your password to a passkey today if your device supports it and use 2024’s “Change your Password Day” to delete your password and never have to use it again.
More Information on Cybersecurity
Learn everything you need to know about building a reliable IT security architecture for protection against cyberattacks in our free white paper “IT Security for Enterprises”.