Security and Password Policies: Best Practices

Tim Clifford / Aug 31, 2021

Passwords are still a mainstay of securing web application authentication systems. They can also be the source of many usability issues and productivity issues. In this blog, we’ll outline password policies and best practice processes to address this balance.

Passwords are ubiquitous and have been used to authenticate trusted users into systems even before the internet. Password policies that enforce high entropy passwords and best practice rules on passwords have the best chance to prevent unauthorised access into a system.

The most common password-related threats to authentication security are:

  • Poor password creation - the fear of forgetting typically results in weak passwords. 
  • Poor practices - reusing passwords because it is easier to recall (according to a survey from LastPass - around 60% of users continue to use the same passwords). 
  • Without a password policy, users are more likely to choose passwords that are easy to guess.
  • Devices without encryption utilise bad password sharing practices.
  • Database breaches can leak passwords from other third-party systems.
  • Bad password storage methods - can cause serious security risks.

The problem with passwords

Authentication processes need to be easy to remember and understand, but also need to be usable and not take too long to complete.

Having a single authentication scheme (a password manager for example) to gain access to all sites, aids the convenience of only having to remember a single process, pin, and password. However, this also introduces a single point of failure. For example, if someone were to gain unauthorised access to this system, then the same individual would also be able to gain access to all other listed services as well.

Authentication systems, in general, can be too complex and time consuming for the average user, especially those working in a time-sensitive environment (such as healthcare, security and defence). When considering an authentication system there should be a compromise between the extra security it offers, and the potential additional hindrance to productivity it could cause for its end-users.

Authentication and Productivity

A complex authentication process can affect user productivity. By some estimates, the time spent on these authentication tasks can be up to 30 minutes a day, which adds up to 3 weeks a year. They also require a lot of work from the users, such as having to remember a lot of different, frequently-changed passwords that cannot be stored physically.

When faced with complex processes, the result can be that employees revert back to insecure practices or coping strategies that reduce security and promotes a general sense of low-security motivation. The goal then is to reduce the amount of cognitive effort by entering something much simpler, faster or not having to remember anything at all.

Difficulties on mobile devices

There is an increased difficulty in entering a password on mobile user interfaces, and this is something quite often overlooked. Considering that mobile devices are the most commonly used for accessing systems today, this proves to be quite a significant negative effect on the majority of staff productivity. Password entry on mobile is proven to be more challenging, both cognitively and physically, to enter. It can be up to 3-5 times harder to type the same complex password on a touch screen device when compared to a computer. 

Password Managers

Password managers such as Dashlane, 1Password, and LastPass are good tools to help users generate high entropy passwords for the accounts they visit, storing them inside an encrypted vault and providing automatic completion of these authentication details during login. 

Advantages of these tools include: 

  • Peace of mind that passwords are safe all in one place.
  • The ability to align password policy standards to the password manager’s configuration settings.
  • We can share passwords from encrypted vaults securely.
  • No need to write down passwords.
  • Prevents the need to re-use passwords.
  • Ensures you have set strong passwords.
  • You don’t have to worry about forgetting your password - so entropy isn’t compromised.
  • It's scalable.

However, due to their popularity, these programs become a desired target for online attacks with the master password being a single point of failure.

Disadvantages of password managers are: 

  • Online PM services could become breached and credentials leaked. (They’ve had some security issues but access to password vaults hasn’t happened yet but might in the future)
  • Offers an attractive single target for hackers.
  • Vulnerabilities could arise in browser software and affect the service (e.g. browser plugins).
  • Some login forms disable autocomplete.
  • Services that require one-time passwords are problematic.

Bug bounty research has even shown the possibility of a breach in password managers that expose the master password in computer memory. However, taking advantage of this vulnerability would require either physical or remote access to the computer. If users have two-factor authentication enabled it is even more unlikely to be compromised.

Many people are also put off using password managers because they assume their passwords are being stored externally within a cloud environment, however, this is not the case. Passwords and the master password itself never actually touches the third-party servers, but rather is encrypted and decrypted at the device level. So, your encryption keys remain local to your device and then encrypted blobs instead are stored in the password vaults at a server level and kept secret.

Nonetheless, while there are always risks, Password Managers are still the best tools for offering authentication services online.

2FA / Multi-factor Authentication

Implementing secure two-factor authentication processes is not always considered the best approach for reasons similar to those described above: they create additional inconvenience for users. According to Paul Dourish et. al: “A major obstacle to the development of more effective security strategies is that these systems often match poorly to the ways in which people need to make use of them.”

So how do we proceed? While password policies and standards aren’t providing a perfect solution to the above, they are still worth implementing. 

Password Policies

Password policies allow employees to understand why certain passwords are weak, or easy to guess and how attackers would carry out certain authentication attacks. As a result, they are more likely to create more secure passwords themselves and it is less likely that rules requiring a number, uppercase character and symbol are going to result in ‘Pa$$w0rd1’.

What makes a “good” password?

  • Complexity - the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess
  • A minimum amount of alphanumeric characters, multi-cased, and completely random is best practice
  • Password length is very important
  • The password should be exclusive to one authentication process - i.e. not re-used on any other systems
  • Not having a password that is the same as your username or email address that is associated with the account. This is similar to not using the website/service name as part of the password

The term “good entropy” means the level of chaos or randomness present in a system. In this case, a string of characters that make up a password. Choosing a random string of numbers, symbols, and case-specific letters seem to be a good practice but can be limiting when strict requirements reduce key space and cause users to set passwords in predictable ways – causing more harm than good.

Ultimately, a password needs to be one that is not vulnerable to either dictionary attacks or brute force.

xkcd suggests four random and not very common words - which lends itself to use the term passphrase not password. 

xkcd passwords ©xkcd

Image © xkcd. Creative Commons Attribution-NonCommercial 2.5 License.

You can have a go with this concept with this useful password generator tool - correcthorsebatterystaple.net. However, coming up with your own passphrase will probably mean it will be easier to remember.

As mentioned above, it is good practice to not reuse passwords across systems and rely on tools such as Password managers to help store and recall passwords when needed. If you have used the same password across many different systems, it would be a good idea to update them as soon as possible. A very good resource to see if your go-to password has been breached is to use haveibeenpwned. Here you can safely check if your password has been leaked across a database of >500 million breached passwords. It will return a list of services which have used that password for authentication - updating these are a definite must do! 

How we handle password management at Amazee Labs

Now that we’ve covered the background, here is an example of a password policy we use at Amazee Labs: 

Password creation

  • Passwords must be unique to any other password used within their work-related accounts. The use of a Password Manager’s randomly generated password should ideally be used.
  • Passwords should not resemble any passwords used for their own, personal accounts.
  • Users with system-level privileges should use unique passwords from all other high privileged accounts.
  • Restrict the use of common words.

Sharing of passwords

  • Passwords should not be shared with anyone, including co-workers. There are occasions where user accounts need to be shared amongst a team (for a system in which there are no individual user accounts for), in this situation passwords should be shared using a company authorised and trusted Password Manager.

Best practice standards

  • Do not reuse passwords across different services.
  • Do not share passwords in plain text across any platform, including email, communication services like Slack or SMS.
  • Usernames should also be unique - no using default system usernames such as ‘admin’ or ‘root’.
  • Do not use any in-browser ‘remember password’ feature, always store passwords inside a Password Manager.
  • Ensure 2FA is enabled if possible, especially for Password Manager services.
  • Work off a ‘least privilege’ model.
  • If any services you’ve been using for authentication are suspected to have been compromised, then change the associated password for that account immediately.

The future of better authentication

Ultimately, there needs to be a shift in thinking to move away from passwords. In the future, these systems can use the information we already have on users such as their location, biometrics, devices, and patterns of use to provide low-effort authentication alternatives. 

Research on “zero perceived effort” authentication is promising. This includes Roy Maxion’s work on keystroke recognition, which shows how biometric technology can be used to recognise users from their typing habits.

Other biometric authentication, such as fingerprint or camera-based systems are also interesting alternatives. Take the example of a smart car, where fingerprint authentication is used not only to start a vehicle but to remember each user’s seat position, steering wheel position, ambient temperature, and other collaboration settings. 

This would be an example of both a productive and secure approach to authentication - the user gets a lot of valuable feedback from a speedy process. As with all emerging technologies, there are some issues with its use and therefore there still needs to be some form of back up to support these. This would likely take the form of other multi-factor authentication methods. 

Furthermore, as technology evolves so do ways to compromise it. Eventually, biometrics will also be subject to attacks. In high-security environments, companies will need to ensure with fingerprint detection checks that there is a pulse behind the fingers. Otherwise, security can be compromised even in these systems. There have already been cases where would-be hackers have printed impressions of stolen fingerprints using special cartridges, and, in extreme cases, used real severed digits. 

Implicit authentication is a form of authentication through constant monitoring and measuring of user input and behaviour. Unsurprisingly, there are numerous privacy concerns emerging from this practice. Users didn’t want their behaviour to be constantly tracked. The question becomes, who is handling this data and how it was being used?

As technology changes, security risks change too. Keeping up to date on the best practices for password security, and balancing them with the needs and convenience of your users, will ensure you have a secure and productive environment for everyone working on your projects. Passwordless schemes like the above are gradually being introduced into the mainstay, but for now it is safe to say that passwords still remain the primary use of authentication and utilising best practice password policies is one of the best ways to mitigate password risks.

Want to know more about how secure your projects are? We offer security audits of websites, get in touch with us today to find out more.