Usability vs Security
Traditional password security is typically based on length, complexity and history. Organisations decide the minimum length for a password, the minimum number of distinct character types, and how many of the most recently used passwords may not be used. To complement this, Orgs also set a duration that each new password will be valid for, before it needs to be changed.
The best practice for password security is frequently debated, but the fundamental issue with the traditional approach is that the average user can’t be expected to think of a long, unique, complex password that they can remember, every 60-90 days.
With users struggling to choose such a password, Organisations are forced to make difficult decisions regarding these rules – they’ll choose a length that is “reasonable”, 8 characters, for example. Short passwords are easier to brute force, as there are fewer possible combinations of characters.
Types of attack
As well as having fewer possible character combinations, there are also fewer unique words or phrases that an average human will choose when considering their password. Think sports teams, days of the week, months of the year, greetings, with letters substituted for symbols or numbers, and a few numbers stuck at the end. With an exclamation mark of course!
The issue here isn’t necessarily with the complexity of this specific password, but the likelihood that the user would re-use this exact password on another site (or many other sites). If they do, and any of those sites are breached and credential pairs stolen, then endless attackers have access to the exact password for your user.
In my previous post , I covered how easy it is for an attacker use readily available reconnaissance tools to obtain and collate information about users within an organisation. Linking this database of collected person-data with a recent breach will allow an attacker to link names or email addresses with credentials, and attempt a login. In this scenario, it really doesn’t matter how complex the password was; the attacker has it in full.
With a username/password combination being the only thing preventing an unauthorised user from gaining access to your system, it’s vital that the passwords your users consistently choose are not blindingly obvious to someone who has done their research.
That said, it’s not all about complexity and avoiding re-use. In many cases, attackers can simply ask the target user what their password is. This technique is man-in-the-middle / credential interception, more well-known as phishing. This can take the form of a generic email sent to a wide range people in a non-targeted manner (phishing), but can also be more targeted at individuals, using knowledge obtained during recon exercises and research. These types of attack (spear phishing) have a much higher chance of success, but are more time consuming to perform.
The password your users eventually choose mostly doesn’t matter, except in extreme cases where it’s shockingly simple, or re-used.
Protect against simple passwords
Azure Active Directory Password Protection provides ample protection against the former – a global list of banned passwords is used to ensure users can’t choose something shockingly simple.
But what about re-use? The key here is to force the user to choose a password that is either so long, or so complex, that they’d never decide to use it elsewhere. Require a 12 character, complex password, and few users will have a password to re-use. This sits on the “more secure” side of the security/usability line, so the issue now is to ensure users are able to get on and do productive work, without being hampered by your choice of password requirement.
In part two I cover the concepts behind Azure Active Directory Password Protection, as well as methods that can be used to allow a user to be ‘happy’ with a long, complex, unique password.