October has arrived. And while that means colorful foliage and Halloween for many of us, it is also a special time in the information security industry: cyber security awareness month – or NCSAM. Security Ledger will be supporting NCSAM this month with banner ads and other content that highlight NCSAM events.
Cyber Security Awareness Month – in its 11th year- is a public-private effort to raise public awareness about online security and safety. It’s best known for the “Stop. Think. Connect.” meme, but also is an occasion for elected officials and private sector firms to highlight cyber security issues.
In a Presidential Proclamation released on Tuesday, President Obama called cyber threats “one of the gravest national security dangers the United States faces.”
“They jeopardize our country’s critical infrastructure, endanger our individual liberties, and threaten every American’s way of life. When our Nation’s intellectual property is stolen, it harms our economy, and when a victim experiences online theft, fraud, or abuse, it puts all of us at risk. ”
|Read more Security Ledger coverage of passwords here.|
The President urged Americans take part in raising awareness of cyber security. Most important, the President said: “utilize secure passwords online and change them regularly.”
That’s sound advice – the connection between weak passwords and problems like account takeovers via brute force attacks is well-established. That, in turn, can lead to more serious crimes, such as identity theft.
Doubling down on the “use strong passwords” meme, the password management firm LastPass issued a security challenge: asking folks to use its Security Check feature to audit their passwords. (Funny coincindence: you have to download and install LastPass’s (free) password management software to do this.)
Migrating to secure passwords is low hanging fruit, to be sure. But the focus on strong passwords understates the complexity of the password question. As a recent news stories have made clear, common passwords are largely worthless, given the hundreds of millions of simple and predictable passwords that have already been leaked to the public domain.
And, as the above presentation by Rick Redman at the AppSecUSA conference makes clear: password complexity rules aren’t particularly helpful, either. Brute forcing tools coupled with cloud computing can make short work of passwords encrypted with all but the most powerful ciphers. And hard-ass password management often has the opposite effect as they’re trying to achieve: either forcing users to adopt lowest common denominator passwords that meet the password requirements. Or they’ll adopt insecure practices (like writing down long, complicated passwords) or reusing strong passwords between private (social media) and work accounts.
Even if you try your best to be original, humans have a hard time doing entropy. Redman notes that many of the LinkedIn accounts used some variant of the word “link” or “LinkedIn.” Shocker. How about substituting numbers for letters (“3” for “E”, “4” for “A” and do on). Knowledge of those patterns makes cracking a lot easier. Why brute force an entire range of values if you can be pretty confident of the kinds of patterns human beings use?
Redman is pretty convincing about the ways that even ‘best practices’ for making secure passwords are worthless. So it is unclear whether the proper advice for consumers is to change their passwords regularly, or to stop counting on them to protect their sensitive information altogether.
Of course, having the President come out and say “you should use two-factor authentication” would likely have the pundits screaming and lots of folks scratching their heads. But, still, pushing password refreshes as a security panacea may not have that big of an impact on the security of the public.
There are alternatives. Lance James suggested a “Pavlovian” password management scheme that links password durability with entropy. Users who adopt stronger passwords would be able to go longer without changing them.