Security and Password Policies: Best Practices

Passwords are ubiquitous and have been used to authenticate trusted users into systems even before the internet. Password policies that enforce high entropy passwords and best practice rules on passwords have the best chance to prevent unauthorised access into a system. 

The most common threats to authentication security are: 

  • Bad password storage methods

    • Passwords that aren't stored properly can cause serious security risks

    • Poor password creation and practices

  • Without a password policy, users are more likely to choose passwords that are easy to guess 

  • Devices without encryption utilise bad password sharing practices 

  • Database breaches can leak passwords from other third-party systems

The problem with passwords

Authentication processes, in general, need to be easy to remember and understand but also need to be usable and not take too long to complete.

Having a single authentication scheme (a password manager for example) to gain access to all sites, aids the convenience of only having to remember a single process, pin, and password. However, this also introduces a single point of failure. For example, if someone were to gain unauthorised access to this system, then the same individual would also be able to gain access to all other listed services as well.

Authentication systems, in general, can be too complex and time consuming for the average user, especially those working in a time-sensitive environment (such as healthcare, security and defence). When considering an authentication system there should be a compromise between the extra security it offers and is a greater hindrance to productivity and workload for end-users.

Authentication and Productivity

A complex authentication process can affect user productivity. By some estimates, the time spent on these authentication tasks can be up to 30 minutes a day which translates to 3 weeks a year. They also require a lot of work from the users, such as having to remember a lot of different, frequently-changed passwords that cannot be stored physically.

When faced with complex processes, the result can be that employees revert back to insecure practices or coping strategies that reduce security and promotes a general sense of low-security motivation. The goal then is to reduce the amount of cognitive effort by entering something much simpler, faster or not having to remember anything at all.

Difficulties on mobile devices

There is an increased difficulty in entering a password on mobile user interfaces. Considering that mobile devices are the most commonly used for accessing systems today, this proves to be quite a significant negative effect on the majority of staff productivity. This is because password entry on mobile are proven to be more challenging, both cognitively and physically, to enter. It can be 3-5 times harder to type the same complex password on a touch screen device when compared to a computer. 

Password Managers

Password managers such as Dashlane, 1Password, and LastPass are good tools to help users generate high entropy passwords for the accounts they visit, storing them inside an encrypted vault and providing automatic completion of these authentication details during login. 

Advantages of these tools include: 

  • Peace of mind that passwords are safe all in one place.

  • The ability to align password policy standards to the password manager’s configuration settings.

  • We can share passwords from encrypted vaults securely.

However, due to their popularity, these programs become a desired target for online attacks with the master password being a single point of failure. 

Disadvantages of password managers are: 

  • Online PM services could become breached and credentials leaked. (They’ve had some security issues but access to password vaults hasn’t happened yet but might in the future)

  • Vulnerabilities could arise in browser software and affect the service (e.g. browser plugins)

  • Some login forms disable autocomplete.

  • Services that require one-time passwords are problematic.

  • Also problems with services that use multi-factor authentication.

Bug bounty research has even shown the possibility of a breach in password managers that expose the master password in computer memory. However, taking advantage of this vulnerability would require either physical or remote access to the computer. If users have two-factor authentication enabled it is even more unlikely to be compromised.

While there are always risks, PMs are still the best tools for offering authentication services online.

2FA / Multi-factor Authentication

Implementing secure two-factor authentication processes is not always considered the best approach for reasons similar to those described above: they create additional inconvenience for users. According to Paul Dourish et. al: “A major obstacle to the development of more effective security strategies is that these systems often match poorly to the ways in which people need to make use of them.”

So how do we proceed? While password policies and standards aren’t providing a perfect solution to the above, they are still worth implementing. 

Password Policies

Password policies allow employees to understand why certain passwords are weak, or easy to guess and how attackers would carry out certain authentication attacks. As a result, they are more likely to create more secure passwords themselves and it is less likely that rules requiring a number, uppercase character and symbol are going to be ‘Pa$$w0rd1’.

What makes a “good” password?

  • Complexity - the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess.

  • A minimum amount of alphanumeric characters, multi-cased, and completely random is best practice.

The term “good entropy” means the level of chaos or randomness present in a system. In this case, a string of characters that make up a password. Choosing a random string of numbers, symbols, and case-specific letters seem to be a good practice but can be limiting when strict requirements reduce key space and cause users to set passwords in predictable ways – causing more harm than good. Ultimately, a password needs to be one that is not vulnerable to either dictionary attacks or brute force.

xkcd suggests four random and not very common words. 

xkcd passwords ©xkcd

Image © xkcd. Creative Commons Attribution-NonCommercial 2.5 License.

How we handle password management at ALGM

Now that we’ve covered the background, here are the password policies we use at Amazee Labs: 

Password creation

  • Passwords must be unique to any other password used within their work-related accounts. The use of a Password Manager’s randomly generated password should ideally be used.

  • Passwords should not resemble any passwords used for their own, personal accounts.

  • Users with system-level privileges should use unique passwords from all other high privileged accounts.

  • Restrict the use of common words

Password change

  • A password only needs to be changed if there is a reason to believe that a password has been leaked or compromised. Mandatory periodic password resets are not advised. 

Sharing of passwords

  • Passwords should not be shared with anyone, including co-workers. There are occasions where user accounts need to be shared amongst a team (for a system in which there are no individual user accounts for), in this situation passwords should be shared using a company authorised and trusted Password Manager.

Best practice standards

  • Do not reuse passwords across different services.

  • Do not share passwords in plain text across any platform, including email, communication services like Slack or SMS.

  • Usernames should also be unique - no using default system usernames such as ‘admin’ or ‘root’.

  • Do not use any in-browser ‘remember password’ feature, always store passwords inside a Password Manager.

  • Ensure 2FA is enabled if possible, especially for Password Manager services.

  • Work off a ‘least privilege’ model.

  • If any services you’ve been using for authentication are suspected to have been compromised, then change the associated password for that account immediately.

The future of better authentication

Ultimately, there needs to be a shift in thinking to move away from passwords. In the future, these systems can use the information we already have on users such as their location, biometrics, devices, and patterns of use to provide low-effort authentication alternatives. 

Research on “zero perceived effort” authentication is promising. This includes Roy Maxion’s work on keystroke recognition, which shows how biometric technology can be used to recognise users from their typing habits.

Other biometric authentication, such as fingerprint or camera-based systems are also interesting alternatives. Take the example of a smart car, where fingerprint authentication is used not only to start a vehicle but to remember each user’s seat position, steering wheel position, ambient temperature, and other collaboration settings. 

This would be an example of both a productive and secure approach to authentication - the user gets a lot of valuable feedback from a speedy process. As with all emerging technologies, there are some issues with its use and therefore there still needs to be some form of back up to support these. This would likely take the form of other multi-factor authentication methods. 

Furthermore, as technology evolves so do ways to compromise it. Eventually, biometrics will also be subject to attacks. In high-security environments, companies will need to ensure with fingerprint detection checks that there is a pulse behind the fingers. Otherwise, security can be compromised even in these systems. There have already been cases where would-be hackers have printed impressions of stolen fingerprints using special cartridges, and, in extreme cases, used real severed digits. 

Implicit authentication is a form of authentication through constant monitoring and measuring of user input and behaviour. Unsurprisingly, there are numerous privacy concerns emerging from this practice. Users didn’t want their behaviour to be constantly tracked. The question becomes, who is handling this data and how it was being used?

As technology changes, security risks change too. Keeping up to date on the best practices for password security, and balancing them with the needs and convenience of your users, will ensure you have a secure and productive environment for everyone working on your projects. 

Want to know more about how secure your projects are? We offer security audits of websites, get in touch with us today to find out more.