Our clients always tell us “Every account and system is protected by strong passwords policy” , which usually has the following elements :
- Between 8 and 128 characters long.
- Use at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters
Is it secure enough?
A common train of thought is that passwords are encrypted, therefore complex ones should be difficult to crack and thus are relatively secure. However, this is often not the case, as it can be seen from a case that we worked on.
We are working with a company that has been using SAP on procurement approvals, which required three staff to approve any invoice over a certain amount. However, the company had restructured, one of the three was sacked and they did not have enough manpower to fulfill the three-person approval requirement. To change the SAP process, they needed to hire an external consultant, but instead the department decided to create a dummy approver and share the password of the third approver. This, in turn, allowed them to circumvent the SAP access control using guerilla tactics, which left the company vulnerable.
Passwords have two main functions: deterring strangers through authentication, and identifying a user’s actions through tracking. Thus, if a password is compromised, so is the identity of the user associated with the password, and any action performed is now associated with the individual.
Companies generally now enforce strong password policies due to the increase of cyber attacks, but this often only shifts risk instead of mitigating it. Oftentimes, users are still using unsafe passwords such as “Password01” or their date of birth. A recent Australian government security assessment found that “26% of its officials had weak, common passwords – with more than 5,000 of 234,000 including the word “password”.
Importance of Encryption Algorithm
It may be natural to think that as long as stronger and more complex passwords are implemented, a system should be safe. While this is true to some extent, there are many other factors that play into the security of a system. To preface this, an explanation of how passwords function is important - in short, passwords are converted from plaintext using cryptographic algorithm called hashing and stored. For example, a simple hash would have “HelloPassword” stored as “ppdapwojk” or some other string of characters. However, since the password is converted by an algorithm, which works similarly to a real-life cipher, someone with access to the algorithm/cipher is able to decode the encrypted password to plaintext. There is a database of an estimated 600 million password hashes available on the internet, and if a hash in the database is used, it is relatively easy to decrypt the password once the attackers gain access to the storage file for the password. Thus, besides having a complex password, protection of the encryption algorithm as well as protection of password storage files are essential to preventing security breaches.
Dangers of Dormant Accounts
One other major risk is password reuse. People often reuse the same password they use across apps and services like Uber, personal emails, and social media. If any of these services are compromised, attackers have access to both the email used to sign up for other services as well as the password to those services. Naturally, attackers will try multiple services, apps, or even company accounts, with the email or passwords obtained from the said breach, which oftentimes lead to multiple accounts being breached. Dormant accounts of previous users are also a serious security risk, and often are left untouched and thus provide access to people outside of the company. They are also often undocumented and lead to confusion about the purpose of the said account, lowering vigilance of employees. Attackers may crack the password for dormant accounts and fly under the radar, and are often prime targets.
Security is a complex, multilayered problem that must be addressed carefully. A few easy standards to enforce that can dramatically improve the resilience of a security system are:
- Mandatory password changes every 90 days, as well as reminders one week in advance.
- Ensure password hash values are stored securely, and employ salting (https://en.wikipedia.org/wiki/Salt_(cryptography) ).
- Create high risk alerts for any activity on dormant accounts to notify the security team. If your company does not have an in-house security team, the other option is to remove the dormant account membership from common groups, and create a separate group to hold dormant accounts. This group should then be isolated and reject any internet connection or network access, which reduces misuse over the network.
It is clear that passwords themselves are not secure enough, and in response 2-factor authentication has seen a surge in popularity. 2-factor authentication (https://en.wikipedia.org/wiki/Multi-factor_authentication) is highly recommended whenever implementation is possible and will help tighten up security.