Passwords and Secure Authentication – A Proportionate Approach
Tips on Creating Strong Passwords
23 June 2020
Securing user accounts has been a long-standing challenge and potential area of weakness that threat actors are all too keen to exploit. With the proliferation of cloud-based services and a sharp increase in remote working, organizations now face increased external exposure. Nowadays secure authentication must consider not only strong passwords but also the deployment of multiple-factor authentication (MFA), password management software and biometrics. But striking an acceptable balance between locking down user accounts and maintaining sensible levels of usability, whilst not incurring excessive overheads, continues to be a challenge.
A proportionate response, based on an assessment of risk and practicality, is the best way to ensure an appropriate implementation. Considering risk, an engineer with remote access into an electrical power plant clearly has a level of access that calls for a more robust authentication process than is required for a general employee. And considering practicality, a defined pool of financial advisors who actively manage multiple consumers' investments are more appropriate candidates for an MFA implementation than the larger group of consumers who occasionally login to access summary data.
For the many who remain dependent on a traditional user ID and password model for system access, care must be taken to ensure user accounts are protected. Whilst performing penetration testing and password audits for its clients, Intertek NTA routinely finds simple passwords in use, and is typically able to crack more than 50% of the passwords in Active Directory within a given timeframe. So, why aren't users following the password guidance that should now be so familiar to them?
The term "password" may itself be a barrier, as the use of "word" as a suffix implies a single word is adequate. Consider then, the term "passphrase" – a phrase consisting of three random, seemingly unrelated but memorable words.
Passphrase Example: HorseGardeningLightbulb
The above passphrase, with its 23 upper- and lower-case characters, is considerably more complex than the average password and would take a significant length of time to brute force.
If users or the organization remain apprehensive in the creation and remembering of complex passwords, a password manager – which can generate, remember and auto-populate password entry fields – could be considered. One caveat is that password managers themselves may be considered a high-profile target for hackers, so select your provider carefully.
Biometrics have been available for some time, and alongside the obvious benefit of requiring the user to be physically engaged in the authentication process, they offer added complexity without the challenge of memorability. Some mainstream offerings are gaining traction, but adoption remains relatively low, with users often hesitant and with rare but well-publicized news reports of the technology's fallibility not easing the passage.
Passwords remain the default authentication method, and in most use-cases are considered adequately secure where care is taken in their selection and management. Where an assessment of risk and practicality deems appropriate, multi-factor authentication is encouraged, with password management systems and biometrics being options to consider.