Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/28/2014
01:30 PM
Andrey Dulkin
Andrey Dulkin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Weak Password Advice From Microsoft

Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.

Researchers from Microsoft and Ottawa's Carleton University this month issued a 16-page report urging Internet users to use (or re-use) weak and easy-to-remember passwords for “low risk” websites, as spending any effort on these passwords “would be wasteful.” This is bad advice for any Internet user, but even more so for those in corporate environments who may have reused passwords across personal and corporate services.

The primary reasoning behind the “weak password” recommendation is to help users maximize their ability to remember more complex passwords that are needed to protect high-risk accounts and sites. Another way to read it would be that people just can’t remember a multitude of unique and complex passwords, so stop trying, and use something easy for the “less important” things in life.

While this research flies in the face of years of recommended best-practices, it’s understandable that the cyber realities we all face may present a convincing argument that strong passwords are a fruitless endeavor. We are continually inundated with examples of how we’re facing greater and more constant online threats, how nothing is secure, and how motivated attackers will always find a way to infiltrate networks and steal information, passwords, and more. Add to this the recent disclosures on password manager vulnerabilities, and it seems as if passwords are doomed anyway, so why even bother with unique or complex passwords? Here are several reasons.

Diminishing distinctions
The advice provided by the Microsoft research focuses on using and reusing weak passwords for non-important sites. The authors provide a measure of loss, which attempts to quantify the harm to the user from disclosing information at a specific web service. This, the argument goes, makes it possible to distinguish important versus non-important services. But what exactly is non-important?

While everyone can likely agree that banking services are important, the distinction is not as clear for other services. Is Twitter or any other social media channel important? How about forums or blog comments? To some users, yes, they’re important -- social media are a critical tool in their daily lives and entwined with their work lives. Others deem social media unimportant.

But while social media may not be important to the latter group, they most definitely are to hackers. Social media accounts are a gold mine of personally identifiable information (PII). Although you may not be an avid user of a social media account, you can bet that hackers will be avid users of your information if they get their hands on it.

In addition, compromised social media accounts can open up a new set of threat and attack vectors, as they enable impersonation of legitimate users to others. One of the most prevalent ways targeted cyber attacks on businesses begin is through a simple phishing attack -- designed to gain a foothold in an organization to steal and elevate insider credentials. Hackers could target the personal-use web accounts of employees, co-workers, vendors, and others as launching points for broader attacks on a business. It just takes one click of a bad link to let the attackers in, and the perceived identity of the sender can be the reason for that click to occur.

Password reuse is a significant threat
As organizations move to cloud services, outsource IT, and require employees and users to log-in to activate these services, the opportunity and desire to share passwords for personal and organizational uses is common -- and a significant threat.

Hackers are smart enough to figure out that users often reuse passwords for multiple purposes -- so if they gain access to someone’s password, and know from their online identities that they work at a specific company, the logical conclusion is that they will try those passwords across the organization’s online surface.

And if you think it’s not easy for an attacker to find the cloud solutions that a company is using -- CRM, HR management, ERP, sales management, and many others -- then you’re vastly underestimating the threat landscape.

Memory is not the only option
One fundamental disagreement I have with the research is the researchers’ assumption that people are just incapable of remembering complex passwords and need to be coddled with passwords like "password," "123456," and so on.

Even if the world were made up of only people who can’t remember the growing number of increasingly complex passwords we use, there is a better way than giving up entirely and exposing the users to the dangers of password reuse.

Local password managers are a good option for both personal and organizational use. While cloud-based password managers are indeed less secure and face some real vulnerabilities and problems, locally hosted password managers are strong and secure and are quite challenging for an attacker to break into.

Obviously, we can’t expect all users to have organizational password management solutions deployed in their networks, but even local password managers installed on user endpoints provide a significant boost to the overall security of user accounts. They make it possible to use unique and complex passwords, while the user only needs to remember one password for authenticating to them.

Ultimately, nothing is ever completely safe. Sufficiently motivated hackers will always present a challenge as they try to find a way to steal and exploit the information they’re targeting. But against opportunistic attacks, it is never a good idea to set yourself up as the easiest prey. When criminals steal hundreds of thousands or millions of password hashes, they are not going to discern the pattern used by a specific user -- they will simply attempt to break the hashes and try the passwords on other services, such as email accounts, social media, and corporate services. At this point, password uniqueness can make all the difference between a nuisance and an identity theft.

Andrey Dulkin has more than 12 years of experience in information security research and development, both in technical and managerial positions. In his current position, he leads the CyberArk Research Labs, where his research focuses on targeted attacks mitigation, critical ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 2:52:57 PM
Re: Important to whom?
Yes, indeed! The PII that is floating around cyberspace is going to be a huge problem (if it isn't already!) We ran a blog on that very topic a few months back that made a very good case about that in What's Worse: Credit Card Or Identity Theft?

 

Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:20:41 PM
Re: Important to whom?
I agree and would like to highlight another point - while there has been a lot of focus over the last few years on credit card details theft, there wasn't as much discussion of identity thefts. With credit cards, it has become a routine: CC data stolen->the company involved offers credit monitoring services->some people choose to replace their cards, for some the issuers replace them, for most the cards remain active->life goes on. But with identity thefts, people can't simply replace their personal data - their mother's maiden name, the school they went to, their SSN, their government-issued ID and so on. And once these details are out there, one can never know neither who will use them, nor when or for what purpose.
Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:08:50 PM
Re: password mess
Unfortunately, we won't be able to get rid of passwords until a more secure and at least as user-friendly authentication mechanism is available. Even then, we'll still have all the legacy systems that do not support any other authentication method. Thus, we have to make password authentication as secure as possible, which can be done by engaging all 3 involved parties - the service providers, the organizations and the users. The service providers should employ secure salted hashing schemes, that will make it more difficult for attackers to get to the actual passwords. The organizations should employ automated systems to secure the credentials for their sensitive assets, instead of relying on the users to come up with unique and complex passwords. And the users should be educated about the dangers of password re-use and identity theft, and try to adhere to best practices (and yes, this is probably the weakest link of the scheme...) This approach will make it more difficult for attackers to actually take advantage of their attacks' spoils.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 9:55:51 AM
Important to whom?
Your point is well-taken Andrey that in terms of risk the calculus of "important" versus "unimportant" is not a simple matter. For the typical user, it's obvious that you will want to protect your credit cards, online banking and financial activities, etc.  with strong passwords. But for more frivolous social activities like FB, Pinterest, etc, the message --- that these sites are gold-mines for hackers -- has not been driven home at all. 
AlkaG040
100%
0%
AlkaG040,
User Rank: Apprentice
7/29/2014 | 8:38:03 AM
Single Sign-on as a solution for passwords
I would say instead of using weak passwords at all, use a Single Sign-on solution to access all your accounts from one dashboard so that you only have to remember one set of credentials instead of many and that's to your SSO provider account.

I personally use Smartsignin by PerfectCloud and I can sign into all my accounts without having to remember my Strong passwords or storing them anywhere - Cloud/System. The best thing is, they don't store my credentials anywhere.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/28/2014 | 3:57:22 PM
password mess
I feel like a broken record, always preaching to family and friends the importance of not reusing passwords, creating strong passwords, etc. But the reality is most users continue those bad habits because it's inconvenient and time-consuming to do the right thing. Sure, there are password managers, but not everyone wants to go there. We need to get away from passwords altogether. Scan my eyeball, already.
<<   <   Page 2 / 2
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the &quot;Leaf and Chain&quot; OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.