Sponsored Despite a torrent of bad press, passwords have become the technology that should go away but somehow never quite does. This is mostly simple inertia, but the unfamiliarity, expense and complexity of some of the alternatives has also played its part. Security teams know that passwords are vulnerable in all sorts of ways but abandoning them completely is like chucking away a comfort blanket.
Far from disappearing, passwords will likely cling on for many years to come, which is why pragmatic security teams plan carefully which processes should be used to minimise their risks. These often look simple enough - mandate password complexity rules, change passwords at pre-set intervals, tighten additional authentication - but dig bear pits for the unwary. One of the biggest, and easiest to underestimate, is the old chestnut of how to manage password resets.
The problem of the passwords has always been one part technical and two parts psychological. The point of a passwords as a security factor is that it’s something that only the specified user should know. This requires the user to remember the password, which is where the grief begins. Humans struggle to remember random sequences, which is why they take short cuts, starting with the recurring nightmare of ‘password = 12345’. Multiply the number of account passwords or passphrases someone must remember by ten and you end up with the calamity of password re-use.
Password re-use is the dystopia nobody saw coming. The Register readers will have read about its effects countless times as criminals spray passwords nicked from one breach at every and any online service they can think of. From the user’s point of view, however, re-using a password, including relatively long and complex ones, is a brain-saving godsend. It’s the one problem no amount of clever password management can discount, which is the old tactic of asking users to change their passwords at pre-set intervals hasn’t gone away despite US standard-setters NIST surprising everyone in 2016 (SP 800-63) by recommending that passwords shouldn’t automatically expire without good reason (Microsoft joining them in 2019).
Abandoning the dogma of automatic password changes was overdue, but it doesn’t address a seeming paradox. Organisations change passwords to reduce the risk of reuse and credential theft while knowing that changing them too often might prompt some users to compensate with even more difficult-to-detect password re-use. Is there a sweet spot or is this yet another intractable password woe in the making?
With organisations looking for a path out of the maze, it’s a problem Swedish company Specops Software knows well. But according to product specialist Darren James, the first problem isn’t whether organisations should change passwords - everyone agrees that password changes are still a good idea - but how customers running Windows environments should go about doing this without causing unintended disruption.
“Passwords, sadly, aren’t going anywhere anytime soon,” says James. “With that in mind it really is Specops crusade to try to rid the world, at least as much as we can, of all the weak passwords that are currently out in the open, and give IT admins and CISOs the tools to do so.”
Passwords, of course, are changed for all sorts of reasons other than routine, including the problem of breached passwords, at which point that change becomes an emergency. But the moment a password change occurs can be a major stress point for Windows Active Directory (AD) networks, starting with how the user is informed that expiration has been scheduled.
For internal LAN users, it’s easy – they receive a software prompt telling them to change their password, they follow that prompt and their new password is synchronised and cached on their PC.
Unfortunately, on Windows networks it’s not as straightforward for home or mobile workers connecting through an on-demand corporate VPN, which in the time of Covid-19 turns out to be most of the workforce. “Because the user only gets notified of AD password expiring if they are physically connected to the network, they get no notice of an expiring password and will find that once the password does expire they will no longer be able to connect to any AD-controlled resource,” says James. Worse, even when connected to the LAN, “if your primary device isn’t a Domain joined Windows based machine such as Mac, IOS, Android, Chromebook, Linux, BYOD Windows, you won’t any notifications at all.”
Suddenly, for no apparent reason Office 365 is hobbled and they have no email, Teams and SharePoint - a hiatus that results in a call to the helpdesk. This sets off a cascade of problems. First, because the locally cached password has expired, resetting it might require a resync with AD that involves physically connecting that PC to the LAN. Doing this remotely still requires that helpdesks have a reliable way of authenticating who they’re talking to, aware that credential resets are a technique used by hackers to get behind defences. More likely, the process will create a time-consuming series of password rest hurdles that some users find difficult to vault.
A typical approach is to streamline the process using dedicated tools, with Specops offering Password Notification to automate this kind of process. This compares the pwdLastSet attribute with the maximum allowed password age in the domain policy, making it possible to send expiration reminders to users including those connected via a discontinuous VPN in different time zones. The principle at work here is to nip the problem in the bud before it turns into a helpdesk situation.
“Basically, an email alert is sent to the user x days before their password expires. This provides the user with some warning about what’s going to happen wherever they may be and on whatever device they use. We’re currently giving this solution away, for free, until the end of this year.”
A second tool is uReset, which helps with the process of resetting a password should that become necessary at a later stage. Specops customers have found this useful for the way it integrates the reset process with the problem of user verification via either a third-party identity service or specific forms of multi-factor authentication (MFA) such as fingerprint data, text message, or authentication code . uReset will update the cached credential automatically, even when outside the corporate network.
The intriguing question is what sets off the reset in the first place. Increasingly, the answer is as a reaction to passwords known to have been compromised. Usually, this happens because of a breach, after which attackers try to find ways to recover at least some passwords from stolen hashes. This circles back to the issue of password re-use: just because a password meets an organisation’s criteria doesn’t mean the same excellent password hasn’t been re-used on lots of other services which might or might not store it using a secure hashing algorithm.
Specops’ answer to this has been to integrate a database of 738 million of the most frequently hit password hashes into its password sanity tool, Specops Password Auditor, which admins can use to check against their own database. This also gives an overview of password expiration (including for admins accounts) in and compares password policies against yardsticks such as NIST or PCI.
Another trick, James says, is to offer users some carrot when changing their passwords. Nobody wants to change their passwords at all, so it follows that changing them less often might motivate people to buy into the whole process.
“There’s a big difference between 14 and 15 characters in Windows,” he says, referring to way Windows generates two hashes for all passwords of 14 characters or less. The first uses the secure NT (or NTLM) hashing function, which for backwards compatibility is matched by a second generated using the ancient and weak Lan Manager (LM) function. Security teams have two options to cope with this. First, disable LM hashing at the risk of disabling some older services still being used. Alternatively, ask users to move to passwords longer than 14 characters and hope nobody complains.
“If someone steals your AD database, they can crack all of those 14-character passwords in a very short period of time.“ He suggests adopting variable length password aging, which allows admins to reward users for agreeing to use the longer 15-character or above option. So, for example, users setting passwords between 8 and 14 passwords could be asked to change their passwords every 45 days while the group setting one of 15 or more might be left alone for a year, say. “It’s not just about beating them with a stick and making them type in a 20-character password. It’s about encouraging them to make the right choice.”
If fear of cyberattack doesn’t scare organisations into securely managing their password system, compliance might do the trick for them. In the UK, the Government’s increasingly important Cyber Essentials accreditation scheme specifies that passwords be expired, which guarantees they get attention.
“Most organisations are still uncomfortable about setting user passwords to never expire.” For admins, 30-60 days is still standard, confirms James.
Of course, passwords aren’t going away and must be tamed without the process becoming the IT-consuming chore security teams once blindly accepted as just the way things had to be. If anything’s changed, it’s the tolerance of managing passwords the hard way. Right now, there are simply too many other things to worry about.
Sponsored by Specops