With the emergence of cloud-based technologies, there is a growing demand and the consequent increase of services offered in this format. In this scenario, in which there were only two or three credentials to perform online tasks, today, the user is forced to deal with so many that they can barely remember them. In addition to having to remember complex passwords, users also need to keep in mind that many systems have a reduced number of access attempts. Thus, if one enters the wrong password, they will eventually have little chance of entering the right one before the access is blocked. So, the best thing to do is to use words that are easily typed and memorized.

Recent research by the UK’s National Cybersecurity Centre (NCSC) reported that for the fifth consecutive year, “123456” is the most commonly used number sequence by users for passwords. The word “password” is another recurring top choice in this list of commonly used passwords, also because it is easier to memorize and type, even if it does not guarantee security. The question is: Considering these passwords as insecure and easy to guess, why do people continue to use them?

Users are expected to memorize their passwords and enter them correctly on the first try. However, the complexity required in password policies used by services and companies makes creating a strong and usable password difficult for both ordinary and advanced users.

How to establish a good password policy?

A password policy should set standards that make it difficult for malicious agents to access systems, and have simple creation instructions for users to understand. However, it is worth to note that there is no point in creating strong password policies without proper cybersecurity awareness. From a phishing or social engineering email, a malicious attacker will be able to obtain user credentials regardless of the password policy adopted.

The National Institute of Standards and Technology (NIST), from the United States, the Information Commissioner’s Office (ICO), from the United Kingdom, and other institutions and standards recommend that passwords are at least ten characters long, that the maximum number of characters is not set, and that special characters are not required.

Some other good practices related to passwords, rather than replacing letters with numbers or other characters, advise the use of passphrases with common but random words. Passphrases are a set of at least three random words, for example, “bluedogcherry” or “coffepeniron”. This method makes the password difficult to guess, as well as aids user usability and security. In the examples given, the three words together may make sense to the user, but not to any other individual. The use of passphrases such as child names or rainbow colors is not recommended because they are easily decoded.

Thus, instead of replacing the use of the letter “E” by the number “3”, it is recommended to use a sentence such as: correcthorsebatterygrass. According to NIST, the old method of creation, even using letters and numbers, encouraged users to create obvious and guessable passwords.

The new method takes into account that the human brain stores phrases better than numbers and codes, making the password an image in the user’s mind. And the longer the sentence, the stronger the password. However, the use of special characters is not completely abolished: characters and numbers that make sense for the created passphrase should be used, as long as it is not difficult for the user to remember them.

Another important recommendation is the use of password blacklists. Thus, it is possible to block weak and common passwords in data leaks, as well as words that refer to the name of the organization or its industry. It is also part of the work to make users aware of why their passwords are denied, which elements they enter make them insecure, and to update this blacklist at least annually.

A healthy password lifecycle should be an important issue in organizations’ recommendations. Require passwords to be changed periodically, especially when a new vulnerability is found in the system. This is a very effective measure to prevent possible data leaks.

A weak password recovery process can be an inviting vulnerability for many attackers. Trying to ensure the legitimacy of the user’s password recovery request is difficult, however, using specific questions, keywords, and even tokens may be an interesting alternative to ensure the effectiveness of this action.

In short, passwords, no matter how strong, can be stolen through a malicious attack. Besides, the user can write it down in some easily accessible place, making it an easy target. Therefore, despite their importance, they alone are not enough to protect confidential information. In this context, multiple authentication factors combined with strong passwords are the most appropriate and recommended protection as they prevent the success of multiple password-targeted attacks.

Attacks

It is essential to understand the types of attacks that passwords can suffer in order to be able to create a robust password policy. Some of these attacks and vulnerabilities involve:

  • Dictionary Attacks: A list (dictionary) made up of words and combinations, used to compare captured hashes with the list items and thus try to find the password. It is still possible to use the list to access accounts through brute force attacks.

  • Credential Stuffing: Leaked credentials used when attempting to access other accounts, succeeding when the user reuses the same credentials (username and password) on more than one account.

  • Replacement: Authentication by the attacker successfully performed by replacing a password or username already known by the attacker through some leak.

  • Password recovery: When the password recovery process has flaws, the attacker can impersonate the victim and gain access to the password or even change the current password to one of their own. This can happen, for example, when the user uses the easily guessable question-and-answer feature in the password recovery process.

  • Social Engineering: The use of social techniques to mislead the user and illegally obtain access to credentials or use the same techniques to install password-stealing software.

  • Keylogging: A malware that, when installed on the system, can copy all information that is being entered by the user, including their passwords.

  • Bad Hashes: Attacks that can be used to recover passwords, especially if the hashing algorithm has known flaws, such as MD5.

The password policies can be combined with software and tools to further protect systems and devices. Some of these tools include Password Managers; or for organizations that want to protect their assets, Privileged Access Management (PAM) solutions.

Password Managers and PAM Solutions

Password managers and PAM solutions are tools and software that can generate secure passwords and automatically authenticate the system, eliminating the users’ task of remembering and entering passwords for different accounts.

It is worth remembering, however, the importance of protecting and never losing access to these tools: once the access credential is compromised, all accounts connected to the user may be lost. And it is also worth to keep these passwords up to date, because if a vulnerability is exploited, all stored passwords will be exposed.

If there is a suspicion that the password policy or passwords themselves are compromised, the recommendation is for the company to move quickly to mitigate the problem causing the compromise, and require all users to change the password.

Finally, there must be a consensus to protect users from creating bad passwords and generating difficult password creation patterns. Raise awareness and allow people to recognize that their passwords are insecure so that they can choose strong and secure passwords for both work and personal access.