Weak Password Advice From Microsoft

Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.

Andrey Dulkin, Senior Director, Cyber Innovation, CyberArk

July 28, 2014

5 Min Read

Researchers from Microsoft and Ottawa's Carleton University this month issued a 16-page report urging Internet users to use (or re-use) weak and easy-to-remember passwords for “low risk” websites, as spending any effort on these passwords “would be wasteful.” This is bad advice for any Internet user, but even more so for those in corporate environments who may have reused passwords across personal and corporate services.

The primary reasoning behind the “weak password” recommendation is to help users maximize their ability to remember more complex passwords that are needed to protect high-risk accounts and sites. Another way to read it would be that people just can’t remember a multitude of unique and complex passwords, so stop trying, and use something easy for the “less important” things in life.

While this research flies in the face of years of recommended best-practices, it’s understandable that the cyber realities we all face may present a convincing argument that strong passwords are a fruitless endeavor. We are continually inundated with examples of how we’re facing greater and more constant online threats, how nothing is secure, and how motivated attackers will always find a way to infiltrate networks and steal information, passwords, and more. Add to this the recent disclosures on password manager vulnerabilities, and it seems as if passwords are doomed anyway, so why even bother with unique or complex passwords? Here are several reasons.

Diminishing distinctions
The advice provided by the Microsoft research focuses on using and reusing weak passwords for non-important sites. The authors provide a measure of loss, which attempts to quantify the harm to the user from disclosing information at a specific web service. This, the argument goes, makes it possible to distinguish important versus non-important services. But what exactly is non-important?

While everyone can likely agree that banking services are important, the distinction is not as clear for other services. Is Twitter or any other social media channel important? How about forums or blog comments? To some users, yes, they’re important -- social media are a critical tool in their daily lives and entwined with their work lives. Others deem social media unimportant.

But while social media may not be important to the latter group, they most definitely are to hackers. Social media accounts are a gold mine of personally identifiable information (PII). Although you may not be an avid user of a social media account, you can bet that hackers will be avid users of your information if they get their hands on it.

In addition, compromised social media accounts can open up a new set of threat and attack vectors, as they enable impersonation of legitimate users to others. One of the most prevalent ways targeted cyber attacks on businesses begin is through a simple phishing attack -- designed to gain a foothold in an organization to steal and elevate insider credentials. Hackers could target the personal-use web accounts of employees, co-workers, vendors, and others as launching points for broader attacks on a business. It just takes one click of a bad link to let the attackers in, and the perceived identity of the sender can be the reason for that click to occur.

Password reuse is a significant threat
As organizations move to cloud services, outsource IT, and require employees and users to log-in to activate these services, the opportunity and desire to share passwords for personal and organizational uses is common -- and a significant threat.

Hackers are smart enough to figure out that users often reuse passwords for multiple purposes -- so if they gain access to someone’s password, and know from their online identities that they work at a specific company, the logical conclusion is that they will try those passwords across the organization’s online surface.

And if you think it’s not easy for an attacker to find the cloud solutions that a company is using -- CRM, HR management, ERP, sales management, and many others -- then you’re vastly underestimating the threat landscape.

Memory is not the only option
One fundamental disagreement I have with the research is the researchers’ assumption that people are just incapable of remembering complex passwords and need to be coddled with passwords like "password," "123456," and so on.

Even if the world were made up of only people who can’t remember the growing number of increasingly complex passwords we use, there is a better way than giving up entirely and exposing the users to the dangers of password reuse.

Local password managers are a good option for both personal and organizational use. While cloud-based password managers are indeed less secure and face some real vulnerabilities and problems, locally hosted password managers are strong and secure and are quite challenging for an attacker to break into.

Obviously, we can’t expect all users to have organizational password management solutions deployed in their networks, but even local password managers installed on user endpoints provide a significant boost to the overall security of user accounts. They make it possible to use unique and complex passwords, while the user only needs to remember one password for authenticating to them.

Ultimately, nothing is ever completely safe. Sufficiently motivated hackers will always present a challenge as they try to find a way to steal and exploit the information they’re targeting. But against opportunistic attacks, it is never a good idea to set yourself up as the easiest prey. When criminals steal hundreds of thousands or millions of password hashes, they are not going to discern the pattern used by a specific user -- they will simply attempt to break the hashes and try the passwords on other services, such as email accounts, social media, and corporate services. At this point, password uniqueness can make all the difference between a nuisance and an identity theft.

About the Author(s)

Andrey Dulkin

Senior Director, Cyber Innovation, CyberArk

Andrey Dulkin has more than 12 years of experience in information security research and development, both in technical and managerial positions. In his current position, he leads the CyberArk Research Labs, where his research focuses on targeted attacks mitigation, critical infrastructure security, security architecture, and various aspects of organizational information systems protection. An active member of several cybersecurity forums, Andrey contributed to the Cloud Security Alliance Security-as-a-Service guidance documents and other initiatives. His interests include Internet technologies, machine learning, and programming for Android. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights