“The average user types in an average of eight passwords every day. They have six or more passwords, each of which is shared across four or more sites or apps that require passwords.”
“Weak and default passwords continue to be a notable risk. If this first line of defense fails, it leaves an organization vulnerable to a complete compromise.”
“40% of users write passwords down or store them in a simple text file. Despite this, nearly 80% of users had to reset a forgotten password at least once in the past 6 months, and 25% of users forget 3 passwords every month.”
“The sad truth is that passwords are a problem that nobody really wants to solve. Users want to do whatever is easiest… System owners lack the will to enforce an unpopular mechanism on users.”
Sound Familiar? At CYRSS we help you formulate security that makes sense.
Introduction: System and Information Security
As enterprises large and small shift their information to the cloud, an explosion of SaaS tools are making it easier than ever for employees to collaborate and innovate. Much of this sharing is being done across time zones and physical locations, by workers who are telecommuting, working in shared or public spaces, and from open networks. Information is stored on central, third-party servers that are accessible across the company and the world by anyone with an internet connection.
As a result, online security is increasingly being pushed to the forefront as a major corporate expense. Yet, 89% of the global information workforce lack clarity on how security applies to the cloud. A recent article in Britain’s Guardian newspaper lays out the basic problem in this way: “Data is suddenly everywhere, and so are the number of people, access points and administrators who can control – or worse, copy – the data.”
A few other trends are also compounding the problem:
- The democratization of information technology, with the growing usage of enterprise SaaS applications like Salesforce or Box that are pushed out at the central level;
- The need for companies – especially newcomers eager to carve out an industry niche – to be fast, nimble and permeable in today’s market;
- Highly distributed workforces comprised of full-time employees, long-term contractors and outsourced support services scattered across the world;
- BYOD – bring your own device – work environments, which allow employees to share enterprise-level access controls across less secure personal environments;
- The rise of cloud-based environments, over which companies lack complete control; and
- Confusion about how to best manage insider threats, mobile access and compliance issues.
All this makes information security more important and difficult than ever.
Passwords, the keys to most online information, are at the forefront of electronic security. Designed as a generic way to establish and authenticate identity, passwords have today become the most vulnerable piece of electronic security. Corporations tend to use passwords because they have no other choice. Most current systems – from billing to reservations to sales databases – employ passwords as the default method of restricting access. Despite numerous studies and policies that indicate that using a single password across multiple apps is a security risk, a 2013 survey by Ping Identity showed that 83% of the tech security officers they surveyed did exactly that. Expand this practice to include every corporate employee that accesses enterprise information on their mobile phones, tablets or home computers and the scale of the problem becomes evident.
Passwords are everywhere in a typical modern enterprise environment. In addition to basic network logins, there are a plentitude of applications running on a multitude of systems that staff may need to access on a daily basis things like groupware, CRM, accounting and finance, HR and benefits management, dashboards, analytics, project management, content management and more. These applications may be internally developed and hosted, licensed and hosted onsite, or increasingly, a service-based app that is accessed over the Internet. There are also the physical servers and hardware, typically maintained by an IT staff, used for network routing, telephony and printing.
Password Pain in the Modern Company
In an ideal world, users could access all of these apps and systems by signing on when they start their workday with a single set of credentials (and confirming later in the day, when relevant, for security). But in most modern businesses – especially small- to mid-sized ones – users typically have to remember multiple usernames and passwords to access various systems throughout their day. SaaS applications, increasingly leveraged by almost all companies today, are built as strict silos; they don’t talk to each other, nor are they aware of the surrounding corporate software environment. So even if your company is running the most advanced operating system, your daily platform – and the passwords used to access it – tends not to be integrated at all.
According to a report published by Microsoft Research, the average computer user types in an average of eight passwords every day. Their research also found that the average user has six or more passwords, each of which is shared across four or more sites or apps that require passwords. A similar study by Norton found that one-third of users have more than ten passwords to keep track of. It is no wonder then, that workers tend to (a) pick weak, common passwords; (b) reuse them; (c) guard them insecurely and/or forget them; and (d) share them with colleagues.
A. Users Select Weak Passwords
In their 2013 Global Security Report, information security consulting company Trustwave sampled nearly 3.1 million passwords, mostly from compromised enterprise Active Directory servers. They found barely one-third of the passwords to be unique. Fifty percent of users are using bare minimum passwords, consisting of upper/lower/number combinations; over 88% of passwords did not contain a special character. “Password1″ is still the most common password used by global businesses. Basic combinations of “password”, “welcome”, “hello”, and common names combined with simple numbers round out the list of the most common passwords. These commonly used, easily guessed passwords provide minimal defense against even the laziest of would-be hackers.
“Analysis reiterates the weakness of passwords in general, and the general failure of user education in good password creation and management,” wrote Rick Wanner, Technical Analyst for SaskTel, in his analysis of the passwords revealed in the leak of 860,000 hashes from Stratfor. “The weakest link in security is the user,” added Wanner.
Somewhat surprisingly, the “lions at the gate” – the corporate IT administrators – are not immune to this plague of poor password selection and management. Weak administrative credentials were at fault in eighty percent of the enterprise security incidents studied by Trustwave in their 2012 report. “The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation,” the report observes. “This is true for both large and small organizations, and largely due to poor administration.” Additionally, default passwords were used across a range of servers, network equipment, and client devices. Other common password combinations were “pitifully simple,” such as administrator:password, guest:guest, and admin:admin.
Trustwave’s findings led them to the clear conclusion: “Weak and default passwords continue to be a notable risk. If this first line of defense fails, it leaves an organization vulnerable to a complete compromise.”
Unfortunately, the rise of pervasive mobile computing and BYOD means users are now even more likely to choose simple, short passwords, given the less efficient input methods on mobile devices. Typing “strong,” complex passwords to log in to an application from a smartphone or tablet typically requires a user to switch between multiple on-screen keyboards in order to enter the required upper and lower case letters, numbers and symbols. This can be a tedious and error-prone process. To ease the frustration, users generally choose short, simple passwords, or leave their device and its applications unlocked. Even worse, in their 2011 poll, authentication technology provider Confident Technologies found that more than half of users do not use a password or PIN to lock their smartphone or tablet. Twothirds said they leave applications permanently logged in unless they are required by the application to log in every time.
B. Password Reuse
Remembering which password—even a weak one—goes with which account can be challenging. So most users reuse the same password across multiple sites or apps. CIO Magazine reported that “the typical Internet surfer reuses the same password at an average of 49 websites.” Similarly, a 2012 Harris Interactive Poll found that 62 percent of online adults reuse the same password for more than one of their online accounts, and more than half don’t change passwords regularly.
Password reuse becomes a major security issue when sites or applications are hacked, and their user databases are stolen. Hackers then have access to potentially millions of username/e-mail and password combinations, which can be tried on other sites, or even against corporate networks. Recent high-profile breaches include LivingSocial, RockYou, LinkedIn, Dropbox, eHarmony, and Gawker Media, each losing in excess of 1.5 million user passwords or hashes. Twitter, Yahoo, Google and AOL have also had user data breaches in recent months. Since 2012, “more than 280 million ‘hashes’ (i.e., encrypted but readily crackable passwords) have been dumped online for everyone to see,” reports Wired Magazine. And in what may be the largest ever leak of user credentials, in September of 2013, Adobe lost 130 million email and password hash combinations (along with plain-text password hints, and other personally identifying information).
In the recent case where LinkedIn’s 6.4 million password database was leaked, a man sitting at home, running a high-end gaming machine he put together that could make 15.5 billion guesses per second, was able to crack 20 percent of the LinkedIn database’s user passwords in 30 seconds and 55 percent within two hours. After five days he had decoded more than 80 percent of the passwords in the LinkedIn database.
This password-cracking expert has recently unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.
Once hackers have deciphered a user’s password, using readily available “script-kiddie” utilities, they can easily try logging into various sites or apps using those credentials. And if a user has registered for a hacked service using their work email address – which likely maps back to their network user name – and the same password they use at work (which happens all too frequently), the corporate pain can be immense.
The scope and increasing frequency of major breaches should be a wake-up call to anyone still using identical logins for different services. “Users have two options,” noted Mikko Hypponen, Chief Research Officer at security advisers FSecureOne. “Either remember a variety of passwords or use a password management tool – software that manages your passwords for you so you only need to remember one master password for the tool, and it then recalls and enters the credentials for you – I recommend the latter.”
C. Password Lifecycle: Select, Scribble, Forget and Request Reset
Corporate password policies commonly require users to choose a new password every 90 days. While this policy typically does not lead to users selecting better passwords, it does make it harder for users to remember them, and contributes to password fatigue. Studies by McAfee and Norton show that more than 40% of users write their passwords down, or store them in a simple text file. And despite this practice (which can lead to passwords being stolen via lifted sticky notes), nearly 80% of users had to reset a forgotten password at least once in the past 6 months, and 25% of users forget three or more passwords every month.
Forgotten passwords are costly for companies, as users and IT staff lose productivity during the reset process. According to the Gartner Group, between 20% to 50% of all help desk calls are for password resets. Forrester Research states that the average help desk labor cost for a single password reset is about $70. IT research group Info-Tech estimates that enterprises spend roughly $118 per user/per year on password-related help desk support and lost employee productivity.
While password reset costs vary across by organization, the results of more complex password policies are consistent: an increased number of password reset calls. For the user, a forgotten password represents frustration and lost productivity while they wait for support; for the IT organization, it is mundane and time-consuming work, which is also the leading cause of high turnover in technical support positions.
Shared Passwords, Shared Pain
In today’s SaaS-dependent work environment, it is common for workers to need to share access to documents or apps with co-workers, temporary staff or vendors. Teams may also need to share a single account in certain apps or services, like Twitter or Facebook. These shared accounts can be a serious challenge for the company’s audit and IT regulatory compliance requirements.
And what happens when a team member leaves the organization, and their access needs to be revoked to this shared, single account? Most organizations lack a clear, consistent process for creating a new password when a member is “offboarded.” Managing frequent password changes in a large, distributed team environment can be a nightmare. But nothing compared to the backlash of a jilted ex-employee or contractor posting inappropriate rantings through the company’s official account, or accessing sensitive corporate data through a SaaS that wasn’t locked down after they left.
Summarizing the sad state of passwords in practice, Jay Heiser, VP of IT Risk Management and Security Policy at Gartner Group, in his article “Passwords are Dead; Long Live the Password” wrote:
“The sad truth is that passwords are a problem that nobody really wants to solve. Users want to do whatever is easiest, and don’t want to be burdened by the inconvenience of strong authentication. System owners don’t want to spend any money on stronger authentication, and lack the will to enforce an unpopular mechanism on users.”
Enter Single Sign-On Solutions
One potential solution for the password pain points is a single sign-on (SSO) system. The Open Group concisely defines SSO as “[a] mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords.”
From a technical perspective, a single sign-on solution eliminates the redundant entry of ID and password information by providing seamless and rapid entry into multiple applications and resources, regardless of network or domain. The SSO will provide or connect to a centralized authentication repository, and will store and service requests for authentication and authorization for the varied applications and systems that a user needs to access.
The Open Group goes on to highlight some of the benefits of a modern SSO solution to enterprises: “A service that provides [coordination and integration between user sign-on functions and user account management across domains] can provide real cost benefits to an enterprise through:
- reduction in the time taken by users in sign-on operations to individual domains, including reducing the possibility of such sign-on operations failing.
- improved security through the reduced need for a user to handle and remember multiple sets of authentication information.
- reduction in the time taken, and improved response, by system administrators in adding and removing users to the system or modifying their access rights.
- improved security through the enhanced ability of system administrators to maintain the integrity of user account configuration including the ability to inhibit or remove an individual user’s access to all system resources in a coordinated and consistent manner.”
From the end-user’s perspective, an SSO solution is password fatigue relief; they need only one username and password combination, which they might enter as infrequently as once per day, to gain access to all the protected apps and services they need to perform their jobs. They no longer need to remember and juggle multiple username and password combinations. Among many benefits offered by a modern SSO solution, for example, they are also able to more easily collaborate with co-workers and suppliers, as they can delegate and share access, without having to share actual passwords. Modern SSO solutions can also offer valuable cross-application usage reports that can aid in regulatory compliance tracking.
An alternative solution to many of the password pain points raised above is multi-factor authentication (MFA). In MFA, two or more items are required to authenticate a user:
- something the users knows (e.g., password, PIN, pattern);
- something the user has (e.g., keycard, mobile phone, token/fob); and
- something the user is (e.g., biometric characteristic, such as a fingerprint, iris print, voice signal)
Multi-factor authentication offers superior security versus systems secured with only a password. However, the initial and ongoing maintenance for MFA systems are typically an issue for small and medium-sized businesses. For those businesses with sufficient resources available, the good news is that many single sign-on solutions also support multifactor authentication schemes, providing what is likely the best of both worlds.
Though passwords are not an ideal solution for an enterprise-level endeavor, companies large and small will be stuck with them for some time to come. In the meantime, single sign-on and strong password policies are most companies’ best solution.
As Rick Wanner concluded in his Internet Storm Center post, “It is clear that we need to continue to work on educating users. The minimum we need to instill in our users is:
- reiterate good password creation and management processes
- discourage password reuse
- promote the use of [password vault & SSO] tools.”