Solving the P@55w0rD C0mpl3xity Pr0bl3m
I was reading an article from the Guardian entitled "Online passwords: keep it complicated" and it got me thinking...Does password complexity really need to be well... complex. In short no, but what techniques can one use to effectively simplify password complexity? Over the last couple of years, password complexity and the management of multiple complex passwords has been a hot topic. These days we need passwords to secure just about everything, and where we don’t have a password we have a PIN to remember. Actually, this reminds me of a joke I read online recently, it went something along the lines of: “All credit card PIN numbers in the world leaked” The subtext was just 0000, 0001, 0002, 0003, 0004…9999.
While all 10,000 credit card PIN numbers are out there in plain sight, you stand a much better chance of keeping your passwords safe. More than enough time has been spent on analyzing password strengths, dissecting advanced cryptographic techniques for generating impossible to remember passwords (and all but impossible to type without making several mistakes), and pontificating the benefits of unique per site passwords. I think it is safe to assume that we all know to use passwords which are: long (9+ characters); complex combinations of uppercase, lowercase, numerals and special characters, and unique per site or service. So, it is not my aim to analyze what constitutes a good password; but more to offer some advice on how you can simplify the management of a multitude of complex passwords, thereby and most importantly keeping your passwords secure and known only to you.
If there is one thing I have learnt during my time as Chief Information Security Officer (CISO) at Mimecast, it is that effective simple security processes work better than complicated ones. But we all know that simple passwords are not better than complex ones – so we have something of a dichotomy. The challenge is highlighted in this Businessweek article showing how long it would take to crack passwords of a certain length. In summary, a 6 character totally random password with lower case upper case, numbers and symbols would take 18 days (10 minutes if you only use lower case!), whereas a 9 character password with the same complexity would take 44,530 years (4 months if you only use lower case . The message is clear; make sure your passwords are long and complex.
Now that wouldn’t be too much of a challenge if you only had one password, but to further complicate matters, best practice and first-hand experience shows that a different passwords should be used for each site or service. Not only do you need to have a long complex password, you have to have multiple long complex passwords. By multiple I mean upwards of 20, or if you are like me, vastly more. Based on the earlier observance that simple processes are better than complex, and that remembering multiple passwords is harder than remembering a single one, we need to find a simple way to achieve the requirement for complexity and uniqueness in passwords.
I present to you the Password Manager (PM). There are several flavors from locally installed to Cloud-based offerings. The idea behind them all is the same: You keep all your long, complex, difficult to remember passwords in the PM of your choice. This is all secured by a single easy to remember (but difficult to guess) password. One password to manage them all! Simplicity and elegance! Here are some recommendations for using and securing your PM: - Protect your PM with a single secure complex password, one that is easy to remember but hard to guess. My suggestion is 12+ characters, not based on a dictionary word and a mix of upper, lower, numerals and special characters. - If your PM supports it, use 2-factor authentication. Google Authenticator is a free, time-based one-time Password generator and some PM’s integrate with it. - Use your PM's built in password generator to generate long and complex passwords which will be stored securely in your PM. - Go to each site or service you use and change the password to something unique using your PM's built in password generator.
I have used several PM's, local and Cloud-based. My current and personal favorite is LastPass. There are many benefits to using the Cloud, such as ubiquitous access from all your Internet connected devices, as well as the ability to store an offline copy for when you may not have Internet access being a major draw card for me. I have embraced the Cloud and believe it is the way of the future. This is a strong endorsement of the trust I place in Cloud security.
As Mimecast's CISO I am in the trenches, implementing, managing and monitoring Mimecast's Cloud security daily, so I know how first-hand the scale of resources that are being dedicated to securing the Cloud and the data that lives in it. But, my endorsement of the Cloud comes with a strong warning: not all Cloud providers are made equal when it comes to security. Do your own due diligence. Make sure that the Cloud service takes security more seriously than you do, like we do at Mimecast. Check what efforts the Cloud service has gone to as far as publishing and independently auditing their security processes and controls. Request the provider’s security certificates and documentation and take your time to review the material. Ask questions and discuss your concerns.
There are a number of accepted standards that Cloud services can be audited against. Mimecast chose ISO 27001:2005 to become certified against as it is a well-respected and internationally recognized certification. In addition, Mimecast has published its security controls in the CSA STAR. If you have any questions about this post or would like to ask more general questions about information security we would be happy to hear from you.