password based security myths

Busting the Myths Surrounding Password-Based Security

People have been relying on password-based security for millennia. The Roman military reportedly used what they called “watchwords” to identify soldiers on patrol. Exclusive groups and guilds used secret passwords to prove membership. The phrase “open sesame” protected hidden treasure in the story of Ali Baba and the Forty Thieves. In more recent times, the world’s first computer passwords were installed in MIT’s Compatible Time-Sharing System to distinguish between users of their colossal, shared computing system in the mid-1960s. Passwords are a simple and easy way to recognize and affirm the appropriate participant of a system. But what happens when modern-day cybercriminals get involved?

In our latest series, we’re exploring all the ways password-based approaches are being utilized in cybersecurity today. Our last installment covered the current threat landscape and recent real-world trends of password use. In this post, we’re going to cover the prevailing myths surrounding password usage in our digital world and set the record straight on the best practices businesses should be adopting for proper password protocols as part of an overall cybersecurity strategy.

The Top 5 Password Myths and Why They Are Misleading

1. A strong password is a complicated password: False!

We’ve all been there. After entering a memorable new password, the system tells you it’s not strong enough. You should have capital letters, lowercase letters, numbers, and a special character. Before long, you’ve added the requirements for a “strong” password, but minutes later, you’ve forgotten whether you chose @ or $…or was it an &? The problem with these complicated passwords is how easy it is for users to forget them. To help remember them, employees tend to mix cases and characters within common dictionary words, which only leads to easily guessable, extremely common passwords like trustno1 and P@ssw0rd! If the mixed case, special characters, and numbers aren’t random, it defeats the purpose of using them in the first place. NIST guidelines encourage dropping these arbitrary password requirements and opting for longer passwords that are easier to remember – as long as they aren’t previously compromised.

2. Hash-based encryption will completely protect passwords in the event of a breach: False!

When a user creates a new password, most systems will store it by applying a one-way encryption algorithm. The algorithm converts the clear text of the password into a string of characters called a hash. There is no algorithm to unencrypt the hash. But hashing may give businesses a false sense of security in the event of a data breach. In reality, the typical population of user-generated passwords is small. As a result, rogue actors only need to use the same hashing algorithm to calculate hashes for all likely passwords. The resulting cracking dictionary allows the bad actor to look up any hash. Additional measures like salting and adaptive work hashing algorithms can help combat these cracking dictionary techniques, but only to a limited degree. It’s more important to make sure user-generated passwords are not among those previously compromised since hackers use those as the basis for their cracking dictionaries.  

3. Forcing users to change passwords regularly will improve security: False!

Frequent password changes are no longer considered good password security. NIST recommends only forcing users to change their passwords when there is evidence of compromise. Periodically switching out old passwords for new ones undermines security because it makes it difficult to remember passwords. To keep from forgetting their constantly changing passwords, most employees will alter a known password. This predictable behavior makes it easier for cybercriminals to guess the new password if they know old passwords. It’s also more likely that your employees will write down or otherwise store their passwords somewhere easy to find. And, just like “open sesame” in Ali Baba and the Forty Thieves, once someone else gets your password, your whole system is compromised.

4. Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are foolproof: False!

We’ve talked about the need for strong passwords as part of a robust, proactive MFA game plan before. But the myth that MFA and 2FA are foolproof, set-it-and-forget-it security strategies persists. We can’t say it enough, MFA may help protect your systems in the event of an attack, but only as part of a comprehensive and ever-evolving cybersecurity strategy. Businesses must take the initiative to keep compromised credentials out of their systems and implement things like zero-trust frameworks to mitigate the risks of a successful criminal campaign.

5. Passwords will be a thing of the past: False!

There has been talk of new technologies, like biometrics, eventually replacing password-based security measures. Indeed, we have evolved past the methods used by ancient Roman soldiers and the world’s first computers – or so the thinking goes. But this kind of reasoning discounts the very real and essential role passwords currently play in our digital daily lives. We are all familiar with passwords and understand their function. They are straightforward for anyone to use. Passwords are vital to an active, layered cybersecurity strategy, and they will continue to be for a long time. The essential requirement is to evolve our practices in light of modern password security practices (LINK TO ARTICLE ON MODERN PASSWORD). 

From brute-force, password spraying campaigns to multi-layered attacks on MFA, password-based security measures are constantly being tried and tested. Therefore, organizations must remain on alert and continuously update their standards and best practices as new technologies and guidelines emerge to stay ahead of bad actors. 

Our next installment will discuss the methods hackers use to get around strong password security, and we will go over the tools and tactics businesses can deploy to combat these threats.