Specops Password Policy is a powerful tool for overcoming the limitations of the default password policies present in Microsoft Active Directory environments. To be fair, Microsoft did revise and upgrade the default password policy and introduced additional, granular fine-tuning options over the years, but for some enterprise environments that’s still not enough, so Specops Password Policy to the rescue!
For the purpose of this review, the installation was done on a server containing all necessary services: Specops Sentinel – a password filter that is installed on all domain controllers, and Specops Password Policy admin tools. Keep in mind that this can be split onto different servers if needed. If you purchased Breached Password Protection, you’ll need to install Specops Arbiter as well.
The setup process is smooth, and you can expect to be up and running within the hour. As you can see from the image below, the standard requirements are modest and should not be a problem for any enterprise environment that requires such a solution.
Figure 1. Specops Password Policy minimum requirements
Password policy templates
When you start with Specops Password Policy Domain Administration, you’ll notice four predefined password policy templates you can choose from:
Figure 2. Specops Password Policy Domain Administration including default templates
These templates are convenient for a fast setup but, naturally, you can take them to another level by customizing them. If you’re working in an environment that needs to meet specific regulatory standards, the provided templates can be a lifesaver. Even if you can’t or don’t want to use these policies, you can use them as a base to strengthen your policy or create a policy compatible with your environment.
Let’s create a new, blank policy to see what the process looks like. Creating one will take you to the Group Policy editor:
Figure 3. Specops Password Policy inside the Group Policy editor
If you find it familiar, it’s because it is the same environment where you would change your default password policy inside Active Directory. The one key difference here is that Specops Password Policy applies password settings to the user part of group policy rather than computer. This makes more sense as it’s the users that generally set bad passwords rather than machines.
After testing the options and thinking how this would fit into my network, I have to commend Specops for not unnecessarily complicating things and choosing to go with a workflow most system administrators are familiar with.
When I opened Specops Password Policy inside the Group Policy editor, I was pleasantly surprised to see that it supports the use of passphrases. More importantly, it also offers assistance for handling them (something that Active Directory does not). You can use regular expressions so that you can define what a passphrase means to your organization i.e. 3 words, with at least 6 characters in each word, no words should be repeated, and no patterns should be used 111111 222222 etc.
Figure 4, 5. Passphrase support and password options
The General Settings menu offers familiar settings for anyone that’s used to working with the Group Policy Editor in an Active Directory environment. A neat addition here is the “client message” option, which allows you to create a custom message to be shown on the Active Directory logon screen in case the password policy requirements are not met.
Figure 6. General Settings with options and client message notification
The Password Expiration tab offers a wealth of options, including the maximum password age, password expiration notifications, and so on. A key feature here is the length-based password aging rule. This means that the longer the password the longer the user gets to keep it. It can be real incentive to encourage users to move to passphrases.
Figure 7. Options for password expiration rules and password expiration notifications
The Password Rules menu brings additional password rules granularity which should allow for virtually any password policy scenario. Worth noting is that the use of dictionaries with forbidden words is possible either by creating a custom dictionary or downloading dictionaries provided by Specops.
Figure 8. Regulating password rules requirements in one place
Figure 9. Additional protection from users trying to subvert the password policy
Breached Password Protection
A great set of options are found under Breached Password Protection. In a nutshell, it allows the system to compare an Active Directory password to a list of known breached passwords. As might be expected, passwords are hashed in the process.
If a password is discovered in the breached password list, the action triggers the delivery of notifications/alerts.
Figure 10. Breached Password Protection Complete API
Figure 11. Breached Password Protection Express List
With the API, Specops Password Policy supports both email and SMS notifications. When using the Express List (a downloadable passwords list) you can use only email notifications.
I realize there’s a narrow application for it, but I would like to see support for custom SMS gateways in future versions, as large enterprises might find this useful. Specops Software tells me that since there’s no extra cost involved for using the SMS notification feature they’ve never been asked to provide a custom SMS platform.
The latest version of Specops Password Policy comes with several powerful new features, Powershell CMDlets and a security scanner.
Leaked password scanning
While Powershell support is nothing new to Specops Password Policy, the latest version brings us powerful new CMDlets:
- Get-SppPasswordExpiration and Get-PasswordPolicyAffectingUser are user-related CMDlets enabling checks which until now could not be requested nor scripted trough Powershell. I found them rather useful during troubleshooting while trying to discern why a certain policy was not working as intended. Using CMDlets with pretty self-explanatory names is much faster than going through the menus of a newly installed application.
- Get-SppPasswordExpiration checks for the password expiration date, returning the date and reliability of the password.
- Get-PasswordPolicyAffectingUser – if you ever handled a multi-policy environment, you know that something simple as knowing the exact policies applied to the user can be the difference between solving an issue or entering a virtually endless troubleshooting loop. You just need to provide the username in sAMAccountName or userPrincipalName format for which the CMDlet returns GpoID, GpoName, and the password policy name.
- Start-PasswordPolicyLeakedPasswordScanning – As evident from the name, it starts scanning for leaked passwords in your Active Directory environment. Even though this feature is present in the Domain Admin tool, this CMDlet is useful as it can be scripted and delayed, which is ideal for administrators working in large environments. After running the CMDlet, all users that are non-compliant to the policy will be notified on the next logon to change their password. Leaked passwords scanning requires the Specops Breached Password Protection license.
Figure 12. All available Specops Password Policy CMDlets
Looking after your passwords
Specops Software maintains a comprehensive list of leaked passwords based on numerous sources. It contains billions of passwords and is often updated.
Breached Password Protection can be configured with two settings: Breached Password Protection Complete and Breached Password Protection Express.
The Complete setting comes with a master list of leaked passwords that are stored in the cloud. If a user changes their password to one that can be found on the list, a notification is sent via email or SMS, and they are forced to change their password the next time they log in. For this, you’ll need .Net 4.7.1 and Windows Server 2012 R2 or later, with an installation of Specops Arbiter and an API key.
Breached Password Protection Express downloads a subset of the list of leaked passwords, updated usually every 6 months. This also means administrators will need to manually check for updates and initiate a download of the updated list. Users are also immediately prevented from changing their password to a password found in the leaked list.
Length based password expiration
Specops has found a way to reward security-conscious users by extending the timeframe for mandated password change.
Figure 13. The longer the password, the later it expires
Users can be notified of their upcoming mandated password change. As the timeframe for mandated password change is dictated by password length, notifying users is of great importance as it can help user to prepare in advance. The notification can be shown to the users using regular Active Directory resources, on the logon screen or via email. For both methods you can define the number of days before a mandated password change notification is shown or sent.
This is a security scanner for Active Directory, and it’s such a simple yet invaluable tool. It is included in Specops Password Policy and is available as standalone freeware. It groups all possible password security issues found inside your Active Directory. This at-a-glance overview essentially points out all the things you need to worry about, and it’s the place to discover quickly if there’s a problem you might not be aware of like a password being on a leaked list.
Specops has chosen smart way of aggregating important areas around password security and polices, showing the most relevant issues and offering quick insight of potential issues.
Figure 14. A closer look at expiring passwords
Once you’re aware of all the issues, you can quickly focus on what’s critical. I find this to be an easy way to audit your Active Directory environment for a variety of issues at the same time.
After testing Specops Password Policy for a week in a variety of scenarios, I can definitely say we’re talking about a formidable solution. Not only does it make the process of strengthening the password policies better while being simple to use, but it can detect and resolve issues you might not be aware of in the first place.
I can highly recommend Specops Password Policy for any Active Directory environment, and I would go as far as to say it’s a necessity for complex environments dealing with compliance regulations, as well as specific password policy requirements. This solution can raise security level on any Active Directory environment, and you can’t argue about the benefits of better security, can you?
Google has released Chrome 86 for desktop and mobile, which comes with several new and improved security features for mobile users, including:
- New password protections
- Enhanced Safe Browsing
- Easier password filling
- Mixed form warnings and mixed downloads warnings/blocks
New password security features in Chrome 86
The Password Checkup feature came first in the form of a Chrome extension, then was built into Google Account’s password manager and Chrome, and now it has been enhanced with support for the “.well-known/change-password” standard – a W3C specification that defines a well-known URL that sites can use to make their change password forms discoverable by tools (e.g. Chrome, or the latest version of Safari)
This change means that, after they’ve been alerted that their password has been compromised, Chrome will take users directly to the right “change password” form. Hopefully, this will spur more users to act upon the alert.
Enhanced Safe Browsing is added to Chrome for Android
Enhanced Safe Browsing mode, which was first introduced in Chrome 83 (for desktop versions), allows users to get a more personalized protection against malicious sites.
“When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” noted AbdelKarim Mardini, Senior Product Manager, Chrome.
In addition to this, Safety Check – an option that allows users to scan their Chrome installation to check whether the browser is up to date, whether the Safe Browsing service is enabled, and whether any of the passwords the user uses have been compromised in a known breach – is now available to Chrome for Android and iOS.
Biometric authentication for autofilling of passwords on iOS
iOS users can finally take advantage of the convenient password autofill option that was made available a few months ago to Android users.
The option allows iOS users to authenticate using Face ID, Touch ID, or their phone passcode before their saved passwords are automatically filled into sites and iOS apps (the Chrome autofill option must be turned on in Settings).
Mixed form/download warnings
Mixed content, i.e., insecure content served from otherwise secure (HTTPS) pages, is a danger to users.
Chrome 86 will warn users when they are about to submit information through a non-secure form embedded in an HTTPS page and when they are about to initiate insecure downloads over non-secure links.
For the moment, Chrome will block the download of executables and archive files over non-secure links but show a warning if the user tries to download documents files, PDFs, and multimatedia files. The next few Chrome versions will block those as well.
Last but not least, Google has fixed 35 security issues in Chrome 86, including a critical use after free vulnerabilities in payments (CVE-2020-15967).
The cybersecurity market is growing even in the midst of the pandemic-driven economic downturn, with spending predicted to reach $123 billion by the end of the year. While disruptive technologies are undoubtedly behind much of this market growth, companies cannot afford to overlook security basics.
Biometrics may be a media darling, but the truth is that passwords will remain the primary authentication mechanism for the foreseeable future. But while passwords may not be a cutting-edge security innovation, that’s not to suggest that CIOs don’t need to modernize their approach to password management.
Mandatory password resets
Employees’ poor password management practices are well-documented, with Google finding that 65% of people use the same password for multiple, if not all, online accounts. To circumvent the security risks associated with this behavior, companies have historically focused on periodic password resets. Seventy-seven percent of IT departments surveyed by Forrester in 2016 were expiring passwords for all staff on a quarterly basis.
This approach made sense in the early days of the digital age, when employees typically only had a handful of passwords to remember. I’d argue that times had already changed by 2016, but we are certainly in an entirely different landscape today. As digital transformation accelerates and employees are faced with managing multiple passwords for all of their accounts, it’s simply no longer realistic or wise to force frequent password resets.
It’s time to retire password expiration
Both NIST and Microsoft have recently come out against forced periodic password resets for a variety of reasons, including:
- Password expiration eats up significant resources and budget. According to Forrester, a single password reset costs $70 of help desk labor. When you multiply this by the average number of employees in a typical organization, it’s easy to see how password expiration can become an unwieldy expense and add significant pressure on overburdened IT teams.
- It encourages poor cybersecurity practices. When users are frequently asked to change passwords they typically create weaker ones—for example, slight variants of the original password or the same root word or phrase with different special characters for each account.
- The practice impedes efficiency and introduces friction. Forced resets have a negative impact on productivity as employees often struggle to remember their passwords. One recent study found that 78% of people had to reset a password they forgot in the past 90 days, eating up valuable time that could have better been deployed elsewhere. In addition, the frustration associated with frequent changes can cause employees to seek a workaround or engage in poor security practices like sharing passwords among colleagues or reusing personal passwords for corporate accounts.
Exposure, not expiration
The fundamental purpose of passwords is to ensure that no one but the authorized user has access to the account or system in question. As such, it follows that password security has evolved from a focus on expiration to a focus on exposure. If credentials are secure, there is no reason for companies to incur the cost and other issues associated with forcing a reset. It’s critical that CIOs adopt this mindset and evaluate how they can continuously screen passwords to ensure their integrity.
Putting NIST’s recommendations into practice
According to NIST, companies should compare passwords “ …against a list that contains values known to be commonly-used, expected or compromised… The list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters
- Context-specific words, such as the name of the service, the username, and derivatives thereof.”
Given that multiple data breaches occur in virtually every sector on a daily basis, companies need a dynamic, automated solution that can cross-reference proposed passwords against known breach data. In this environment, it’s highly likely that a password could be secure at its creation but become compromised down the road. As such, CIOs also need to monitor password security on a daily basis and take steps to protect sensitive information if a compromise is detected.
Depending on the nature of the account and the employee’s privilege this could take a variety of forms, including:
- Stepping up MFA or additional authentication mechanisms
- Forcing a password reset
- Temporarily suspending access to the account
Because these actions occur only if a compromise has been detected, this modern approach to credential screening eliminates the unnecessary cost and friction associated with password expiration.
Protecting the password layer in the new normal
Replacing password expiration with password exposure will be particularly critical as CIOs manage an increasingly hybrid workforce. With Gartner finding that 74% of organizations plan to shift some employees to permanent remote work positions, it’s likely that users will be creating new digital accounts and accessing different services online.
A modern password management approach that continuously screens for any credential compromise is the best way that organizations can secure this complex environment while simultaneously encouraging productivity and reducing help desk costs.
While passwords may not be going away completely, 92 percent of respondents believe passwordless authentication is the future of their organization, according to a LastPass survey.
Passwordless authentication reduces password related risks by enabling users to login to devices and applications without the need to type in a password.
Technologies such as biometric authentication, single-sign-on (SSO) and federated identity streamline the user experience for employees within an organization, while still maintaining a high level of security and complete control for IT and security teams.
Organizations still have a password problem
Problems with passwords are still an ongoing struggle for organizations. The amount of time that IT teams spend managing users’ password and login information has increased year over year.
In fact, those surveyed suggest that weekly time spent managing users’ passwords has increased 25 percent since 2019. Given this, 85 percent of IT and security professionals agree that their organization should look to reduce the number of passwords that individuals use on a daily basis.
Additionally, 95 percent respondents surveyed say there are risks to using passwords which could contribute to threats in their organization, notably human behaviors like password reuse or password weakness.
Security priorities are at odds with user experience
When it comes to managing an organization, security is a core challenge for IT teams. However, it is the lack of convenience and ease of use that employees care about. Security is the main source of frustration for the IT department, particularly when issues are often derived from user behavior when managing passwords.
The top three frustrations for IT teams include users using the same password across applications (54 percent), users forgetting passwords (49 percent) and time spent on password management (45 percent).
For employees, the issues lie in convenience. Their top three frustrations are changing passwords regularly (56 percent), remembering multiple passwords (54 percent) and typing long, complex passwords (49 percent).
Primary benefits of passwordless authentication
Better security (69 percent) and eliminating password related risk (58 percent) are believed by respondents to be the top benefits of deploying a passwordless authentication model for their organization’s IT infrastructure. Time (54 percent) and cost (48 percent) savings are also noted benefits of going passwordless.
Meanwhile, for employees a passwordless authentication model would help to address efficiency concerns. 53 percent of respondents report that passwordless authentication offers the potential to provide convenient access from anywhere, which is key given the shift towards remote work that is likely here to stay.
Top challenges of passwordless deployment
While going passwordless can provide a more secure authentication method, there are challenges in the deployment of a passwordless model.
Respondents report the initial financial investment required to migrate to such solutions (43 percent), the regulations around the storage of the data required (41 percent) and the initial time required to migrate to new types of methods (40 percent) as the biggest challenges for their organization to overcome.
There are also some concerns around resistance to change. Three quarters of IT and security professionals (72 percent) think that end users in their organization would prefer to continue using passwords, as it is what they are used to.
Passwords are not going away completely
When it comes to identity and access management, 85 percent do not think passwords are going away completely. Yet, 92 percent of respondents believe that delivering a passwordless experience for end-users is the future for their organization.
There is a clear need to find a solution that combines passwordless authentication and password management in today’s organizations.
“As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever,” said Gerald Beuchelt, CISO at LogMeIn.
“This report shows the continued challenge that organizations face with password security and the need for a passwordless authentication solution to enable both IT teams and employees to operate more efficiently and securely in this changing environment.”
91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway. IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience.
To select a suitable password management solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Simran Anand, Head of B2B Growth, Dashlane
An organization’s security chain is only as strong as its weakest link – so selecting a password manager should be a top priority among IT leaders. While most look to the obvious: security (high grade encryption, 2FA, etc.), support, and price, it’s critical to also consider the end-user experience. Why? Because user adoption remains by far IT’s biggest challenge. Only 17 percent of IT leaders incorporate the end-UX when evaluating password management tools.
It’s not surprising, then, that those who have deployed a password manager in their company report only 23 percent adoption by employees. The end-UX has to be a priority for IT leaders who aim to guarantee secure processes for their companies.
Password management is too important a link in the security chain to be compromised by a lack of adoption (and simply telling employees to follow good password practices isn’t enough to ensure it actually happens). For organizations to leverage the benefits of next-generation password security, they need to ensure their password management solution is easy to use – and subsequently adopted by all employees.
Gerald Beuchelt, CISO, LogMeIn
As the world continues to navigate a long-term future of remote work, cybercriminals will continue to target users with poor security behaviors, given the increased time spent online due to COVID-19. Although organizations and people understand that passwords play a huge role in one’s overall security, many continue to neglect best password practices. For this reason, businesses should implement a password management solution.
It is essential to look for a password management solution that:
- Monitors poor password hygiene and provides visibility to the improvements that could be made to encourage better password management.
- Standardizes and enforces policies across the organization to support proper password protection.
- Provides a secure password management portal for employees to access all account passwords conveniently.
- Reports IT insights to provide a detailed security report of potential threats.
- Equips IT to audit the access controls users have with the ability to change permissions and encourage the use of new passwords.
- Integrates with previous and existing infrastructure to automate and accelerate workflows.
- Oversees when users share accounts to maintain a sense of security and accountability.
Using a password management solution that is effective is crucial to protecting business information. Finding the right solution will not only help to improve employee password behaviors but also increase your organization’s overall online security.
Michael Crandell, CEO, Bitwarden
Employees, like many others, face the daily challenge of remembering passwords to securely work online. A password manager simplifies generating, storing, and sharing unique and complex passwords – a must-have for security.
There are a number of reputable password managers out there. Businesses should prioritize those that work cross-platform and offer affordable plans. They should consider if the solution can be deployed in the cloud or on-premises. A self-hosting option is often preferred by some organizations for security and internal compliance reasons.
Password managers need to be easy-to-use for every level of user – from beginner to advanced. Any employee should be able to get up and running in minutes on the devices they use.
As of late, many businesses have shifted to a remote work model, which has highlighted the importance of online collaboration and the need to share work resources online. With this in mind, businesses should prioritize options that provide a secure way to share passwords across teams. Doing so keeps everyone’s access secure even when they’re spread out across many locations.
Finally, look for password managers built around an open source approach. Being open source means the source code can be vetted by experienced developers and security researchers who can identify potential security issues, and even contribute to resolving them.
Matt Davey, COO, 1Password
65% of people reuse passwords for some or all of their accounts. Often, this is because they don’t have the right tools to easily create and use strong passwords, which is why you need a password manager.
Opt for a password manager that gives you oversight over the things that matter most to your business: from who’s signed in from where, who last accessed certain items, or which email addresses on your domain have been included in a breach.
To keep the admin burden low, look for a password manager that allows you to manage access by groups, delegate admin powers, and manage users at scale. Depending on the structure of your business, it can be useful to grant access to information by project, location, or team.
You’ll also want to think about how a password manager will fit with your existing IAM/security stack. Some password managers integrate with identity providers, streamlining provisioning and administration.
Above all, if you want your employees to adopt your password manager of choice, make sure it’s easy to use: a password manager will only keep you secure if your employees actually use it.
A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.
About ManageEngine ADSelfService Plus
ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.
“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.
It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.
About the vulnerability (CVE-2020-11552)
Unearthed and flagged by Bhadresh Patel, CVE-2020-11552 stems from the solution not properly enforcing user privileges associated with Windows Certificate Dialog.
The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.
“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’,” he noted.
“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:windowssystem32’, acmd.exe can be launched as a SYSTEM.”
Patel also published a PoC exploit video (the exploitation part starts at 5:30):
ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.
Mozilla has released Firefox 76, which comes with critical security fixes and new features related to Firefox Lockwise, the browser’s password manager/generator that’s also available as a standalone app for iOS and Android.
New Firefox password security features
Just in time for this year’s World Password Day, Mozilla has released new Firefox Lockwise features.
Starting with Firefox 76, users will be able to check whether any of the passwords they use are vulnerable (e.g., identical to a password that has been breached) and they will be alerted when their login and password is involved in a breach:
Unfortunately, the Website Breach warning will not be shown when you visit the login page of the breached site, but only if you go to the menu button located on the far right of the browser’s toolbar and select “Logins and Passwords”, i.e., if you “enter” Firefox Lockwise.
Another new feature is one that makes it possible to share a device with others (e.g., family or roommates) without them being able to see your passwords or you theirs.
“When you try to view or copy a password from your ‘Logins and Passwords’ page, you will be prompted for your device’s account password before proceeding. Once the password is added, your credentials will be available to view and copy for up to five minutes,” Mozilla explained. This is one more reason for having a separate device account for each user.
Firefox 76 contains fixes for two critical flaws:
- CVE-2020-12388, a sandbox escape flaw that only affects Firefox on Windows operating systems.
Also deemed critical are a bunch of memory safety bugs that have been fixed both in Firefox 76 and Firefox ESR 68.7.
Two high-risk security holes that have also been plugged – a sandbox escape that, again, only affects Firefox on Windows operating systems, and a buffer overflow that could lead to memory corruption and a potentially exploitable crash.
For more details about the vulnerabilities go here.
People aren’t protecting themselves from cybersecurity risks even though they know they should, a study on password psychology by LogMeIn reveals.
Year after year there is heightened global awareness of hacking and data breaches, yet consumer password behaviors remain largely unchanged. Data from the survey shows that 91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway.
With people spending more time online, the evolution of cybersecurity threats and the unchanged behavior in creating and managing passwords creates a new level of concern around online security.
The global survey polled 3,250 individuals across the United States, Australia, Singapore, Germany, Brazil, and the United Kingdom and provides evidence that increased knowledge of security best practices doesn’t necessarily translate into better password management.
Global cyber threats continue to skyrocket but password behaviors unchanged
Password behaviors remain largely unchanged from the same study conducted two years ago — translating to some risky behaviors. 53 percent report not changing passwords in the past 12 months despite a breach in the news.
And while 91 percent know that using the same password for multiple accounts is a security risk, 66 percent mostly or always use the same password. This is up 8 percent from our findings in 2018.
Security-conscious thinking doesn’t translate to action
The data showed several contradictions, with respondents saying one thing and in turn, doing another. 77 percent say they feel informed on password best practices, yet 54 percent still try to memorize passwords and 27 percent write them down somewhere.
Similarly, 80 percent are concerned with having their passwords compromised, and yet 48 percent never change their password if not required.
Fear of forgetfulness, number one reason for password reuse
Most respondents (66 percent) use the same password for multiple accounts, which surprisingly has gone up 8 percent from our 2018 findings. Why? The fear of forgetting login information continues to be the number one reason for password reuse (60 percent), followed by wanting to know and be in control of all of their passwords (52 percent).
Awareness and usage of MFA increasing
The good news is there is broad awareness and usage of multifactor authentication (MFA). Fortunately, 54 percent say they use MFA for their personal accounts and 37 percent are using it at work. Only 19 percent of survey respondents said they did not know what MFA was.
Respondents are also very comfortable with biometric authentication – using your fingerprint or face to login to devices or accounts. 65% said they trust fingerprint or facial recognition more than traditional text passwords.
“During a time where much of the world is working from home due to the disruption caused by the COVID-19 pandemic, and people are spending more time online, the cyber threats facing consumers are at an all-time high. Individuals seem to be numb to the threats that weak passwords pose and continue to exhibit behaviors that put their information at risk,” said John Bennett, SVP & GM of Identity and Access Management at LogMeIn.
“Taking just a few simple steps to improve how you manage passwords can lead to increased safety for your online accounts, whether personal or professional. Make World Password Day 2020 the tipping point for a change in your password behavior.”
Security experts recommend using a complex, random and unique password for every online account, but remembering them all would be a challenging task. That’s where password managers come in handy.
Encrypted vaults are accessed by a single master password or PIN, and they store and autofill credentials for the user. However, researchers at the University of York have shown that some commercial password managers (depending on the version) may not be a watertight way to ensure cybersecurity.
After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.
What is the weakness?
The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.
Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.
“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”
“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”
“I am not aware of the different ways a password manager could properly identify an app so not to fall victim to this kind of attack. But it does remind me of concerns we’ve had a long time about alternative keyboard apps getting access to anything you type on your phone or tablet,” Per Thorsheim, founder of PasswordsCon, told Help Net Security.
“The risk presented with autofill on compromised websites pertains only to the site’s credentials, not the user’s entire vault. It is always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further,” a LastPass spokesperson told us via email.
“While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.”
The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four digit PIN in around 2.5 hours.
The researchers also drew up a list of vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed.
Some issues have been fixed long ago
The researchers disclosed these vulnerabilities to the companies developing those password managers.
Lead author of the study, Michael Carr, said: “New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”
Commenting on this research for Help Net Security, Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password, said: “Academic research of this nature can be misread by the public. The versions of 1Password that were examined in that study were from June and July 2017. As is the convention for such research, the researchers talked to us before making their findings public and gave us the opportunity to fix things that needed to be fixed. The research, and publication of it now, does have real value both to developers password managers and for future examination of password managers, but given its historical nature, it is not a very useful guide to the general public in accessing the current state of password manager security.”
IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute.
The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions.
The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvärd, CEO and Co-Founder, Yubico.
“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Individuals report better security practices in some instances compared to IT pros
Out of the 35% of individuals who report that they have been victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts.
Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
Poor password hygiene
Fifty-one percent of IT security respondents say their organizations have experienced a phishing attack, with another 12% of respondents stating that their organizations experienced credential theft, and 8% say it was a man-in-the-middle attack.
Yet, only 53% of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
Mobile use is on the rise
Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organizations represented are using their mobile device for work.
Alarmingly, 62% of IT security respondents say their organizations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use two-factor authentication (2FA).
Poor employee access protection
Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of individuals) share passwords with colleagues to access business accounts.
Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organization uses a password manager, which are effective tools to securely create, manage, and store passwords.
Concerns about customer information and PII security
IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 25% of IT security respondents say their organizations have no plans to adopt 2FA for customers.
Of these 25% of IT security respondents, 60% say their organizations believe usernames and passwords provide sufficient security and 47% say their organizations are not going to provide 2FA because it will affect convenience by adding an extra step during login.
When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
Three main 2FA methods
IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to support for customers. SMS codes and mobile authenticator apps are typically tied to only one device.
Additionally, 23% of individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of individuals rate security (56%), affordability (57%), and ease of use (35%) as very important.
Individuals only adopting new technologies that are easy to use
It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organizations have put in place are not being widely adopted by employees or customers.
In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password.
However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
Passwordless methods are preferred
A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organization or accounts.
And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.
63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed.
Even more worryingly, only 2.6% of these 63% use a unique password when they create a new shadow IT account at work and just 13% use a password generator – the rest re-use a memorable password or use a pattern of similar passwords.
The danger of shadow IT and weak passwords
As we wait for a more authentication secure solution to find its way into mainstream usage and achieve widespread acceptance, we have to find a way to minimize the risks that come with password use.
For enterprises, one of the risks is tied to shadow IT: the IT systems/solutions used by its employees without their use being authorized and supported by the IT department.
“Say Carlos [in marketing] populates Airtable with customer data for his email campaigns, and Anita [in legal] checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” 1Paasword CEO Jeff Shiner explained.
“If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations.”
Individual accounts could also be compromised by attackers if they are secured by weak an/or re-used passwords or it the employee shared the password with a colleague in an insecure manner – as most who have did:
Finally, former employees might retain access to their shadow IT accounts and their contents after they leave the organization.
“At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached,” Shiner noted.
The pragmatic solution to the shadow IT problem is not banning it, but finding a way to bring it all back under the IT department’s control, he believes.
Promoting and encouraging the use of a password manager for creating strong, unique passwords for all accounts, storing them and sharing them securely can help with the unseen password problem.
Passwords are the dominant way online services manage access to our personal and work-related lives. But often times, they’re more of a headache than a security tool.
HYPR released the findings of a two and a half year Password Usage Study, which compiled data from over 500 full-time workers across the United States and Canada to better understand how individuals use, treat and manage their passwords.
According to the findings, 72% of individuals reuse passwords in their personal life while 49% of employees simply change or add a digit or character to their password when updating their company password every 90 days.
Forgot a password? Usage practices revealed
A majority of users recently require a password reset due to forgetting their password.
- 78% of respondents required a password reset in their personal life within the last 90 days
- 57% of respondents required a password reset in their work life within the last 90 days
A sizeable amount of users manage an overwhelming number of passwords.
- 37% of respondents have over 20 passwords in their personal life
- 19% of respondents have over 10 passwords in their work life
A majority of users depend on physical and digital lists to manage their passwords.
- 65% of respondents use an app or keep a digital or physical list of passwords in their personal life
- 58% of respondents use an app or keep a digital or physical list of passwords in their work life
“As a society, we’re so accustomed to using passwords and shared secrets that we tend to overlook just how important user experience is,” said George Avetisov, CEO of HYPR.
“As the world evolves beyond passwords, we believe that true passwordless security delivered through the enterprise will rapidly eliminate the need for users to reuse, manage, reset or even think about passwords.”
- People do not rely on technology that’s created to help them manage their passwords. This is due to a lack of knowledge of their existence, uncertainty of how to use them, and not trusting a third party to keep their passwords secure and not share them.
- The majority of individuals rely on their own memory that time and time again proves to fail, with constant password resets happening every time a user cannot recall a password to a service they are trying to access at any given moment.
- People still rely on traditional means of keeping important information out of memory but yet still accessible. This previously meant simple pieces of paper or notes, but have since transitioned with the digital revolution to Word docs, emails, spreadsheets, and so on.