We need to rethink our password strategy. There are so many rules of thumb regarding passwords that
simply don't work today. We spend a lot of time building perimeter firewalls, encrypting data. One
item will breach those defenses: passwords.
Password Physical Security
Before discussing strengths and weaknesses of passwords, let's consider the physical security
of passwords. Unless you implement good physical security for passwords ...
- Most security breaches occur from the inside.
- Do your users use yellow Post-It Notes to remember their passwords?
- Take a look at a user's keyboard. Are there a half-dozen keys that are completely worn off?
If so, then the keyspace for that password is probably within those characters.
- Do you use wireless keyboards? Your passwords (and all keystrokes) are being transmitted
in the air without any form of encryption. Wireless keyboard sniffers are easy to purchase.
Some of these sniffers will fit in a pocket recording everything around them.
- Educate users about shoulder surfing. I have seen so many passwords just by standing to the
right of someone while they login. Combine shoulder surfing with worn keys and credentials are
much easier to obtain.
- Create a password policy. This must include rules for password creation, deployment, management, rotation, monitoring and auditing.
- Learn about password entropy. Understand what factors are important for password security. Password Entropy
- Do not use password policies that promote passwords which are difficult to remember yet easy for computers to guess.
- Do not store passwords for users or customers on your website. Either subcontract your identity services to a third party or implement your own secure service that does not run on the same systems as your websites.
- Do not send user or customer passwords via email. Create a new temporary password and force the user to change the password on the next login. Ensure that the temporary password link times out.
- Deploy Multi-Factor Authenication. Passwords are almost always the weakest link in a security framework.
- Deploy password filters. Detect common word strings within passwords.
- Implement password honeypots. Detect when someone is using common usernames / passwords to break into your systems and quarantine that user / host. Give this honeypot a public DNS name that looks appealing. Bad actors will often using public DNS information to attempt exploits. This honeypot should initiate a firewall action to block that IP address.
- Do not assume that encrypting passwords is secure. An example would be a website where the
username and password are stored in a database. If this database can be breached, it will not
take long to figure out which encrypted passwords are the same. This means that common passwords
such as "password123" were selected by the users. In this example, a password database attack will
be easier to accomplish.
- Carefully review how you manage password hints. A lot of times these questions are just too
easy to break. An example is asking for your mother's maiden name. This is easily retrived from
- Do not store passwords as unsalted hash values. This method has similar weaknesses to
encrypting passwords without a salt value.
- If you must store passwords, encrypt each password with a unique salt value. Store the salt with the password.