Why you don't need long, complex passwords

These days, hackers steal passwords wholesale, not one by one, which is why you can ignore outdated password practices

1 2 Page 2
Page 2 of 2

What does work?

This is not to say that you should throw up your hands and give up. Here are the top two defenses that address the main causes: phishing attacks and credential database theft.

Preventing phishing attacks means better end-user education -- I'm a big believer in phishing your own users to teach them a lesson -- and the use of multiple antiphishing tools. Many browsers come with antiphishing tools; at a bare minimum, use them. In addition, a host of services will throw up an alert if you (or an end-user) heads toward a known phishing site. These services suffer the same accuracy problems as antivirus scanning software, but something always is better than nothing.

The real answer, however, is that host providers need to do a much better job of preventing credential databases from being stolen. That means making it significantly harder for bad people and malware to access the highest-privileged accounts on the systems that host credential databases. I've covered this many times before in previous articles; it can be done. The biggest defense in this category is to get rid of all your permanent members of elevated groups. It works wonders.

I'm also a big believer in two-factor authentication (2FA). More and more corporate networks and public services support 2FA schemes. There are important caveats, though, beginning with the fact that most public websites still don't support 2FA.

Moreover, if the bad guy is allowed to get access to the 2FA authentication database or service, game over. This can be best exemplified by the 2011 attack against RSA and its 2FA solution, SecureID. Initially, RSA said the compromise of its own infrastructure, including RSA SecureID information, could not lead to additional customer compromise. In the end, this statement did not bear out.

It's also important to realize that even though the end-user or device may use 2FA to authenticate, behind the scenes, at the OS or directory level, the 2FA token is often not in action. After successful 2FA authentication occurs, all authentication and access control transpires using single-factor authentication (typically in another digital representative form). If the bad guy steals those single-factor tokens, it's game over, 2FA or not.

A lot of websites that support 2FA authentication don't require it. Bad guys love this. You may enable 2FA and even tell the website that you're going to use it exclusively, but the bad guy can call tech support, make up a lie, and get your 2FA turned back to 1FA. Sometimes all it takes is answering your far weaker "security questions," whose answers can often be determined via information about you easily obtainable on the Internet.

Lastly, and this may surprise some readers, decades of evidence prove that 2FA solutions ultimately do not protect users or devices if the involved endpoint node is compromised. I first wrote about this in 2006, but even then, it was historical information. Bank-account-stealing Trojans have long been circumventing 2FA. How do they do it? In a nutshell, if the bad guys have control of your endpoint, they can fake whatever they wish in order to accomplish their malicious activity. They can even take over your account and redirect all new business to themselves. It's far easier to cut you out of the chain than to take it over.

Other password protections

I'm a big believer in two other defenses. First, don't reuse your passwords across different security domains or websites. We all belong to dozens of different websites and networks. The more you belong to, the higher the risk of malicious compromise -- which will happen eventually. If you don't reuse your logon credentials all over the place, you make it harder for the bad guys to hurt you more than once.

Second, periodically change your passwords across all sites. I try to do this once a year. You have to assume that at least one of your passwords is sitting around in a hacker database, waiting to be used. By changing your passwords once a year -- or more often if you want to reduce risk even further -- you make hackers' ill-gotten gain less effective over time. This of course assumes that all the people and processes protecting the credential database in which your password is stored are doing the same. But you can only control your actions, so start with yourself.

Like most of the world around us, password hacking methods and tools have not remained static. The old advice of using long and complex passwords protected by strong authentication protocols isn't as helpful as it once was. It doesn't hurt, but it isn't slowing down hackers much. Instead, use decent passwords, change them periodically, don't share them among sites, and opt for 2FA where you can.

I'll even ignore for a few minutes the glaring fact that if a hacker has already obtained your logon credentials, he or she probably has the ability to access any data or service you were trying to protect in the first place. For now, let's take baby steps.

This story, "Why you don't need long, complex passwords," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.