FastPassCorp A/S : Myths and realities on the death of passwords for corporate use.

Since the beginning of remote use, IT passwords have been an integrated part of the users' interface with IT systems. They have never been loved but have been accepted as a necessary evil. It is said that users don't like them as they are hard to remember, and so cause trouble when doing the daily job. Security experts hate them because credential theft is a main cause for data breaches.

The general sentiment seems to be: 'passwords are dying', they are 'the walking dead'; other short-term predictions are made. But even the experts admit (at least in private) that it will be a very slow death. Forester says: 'While there is consensus on the need to move away from passwords, a complete replacement of all passwords is still in the future for most firms.'

We find however that many analyses don't distinguish between general web applications for consumers / members and the corporate situation. This is confusing! The standard corporate environment based on the Active Directory and secure networks can't be compared to a website for club members or a B2C from a small web shop!

In this blog I focus on security and user experience for the professional enterprise with up-to-date security protection. We take a closer look at the many myths surrounding passwords.

Myth 1: Passwords are easy to guess

You might have read of the analysis of the most frequently used passwords like: 123456, Qwerty, password etc.

Is this the case in a professional corporation? No!! All companies we have met have a strong password-naming policy. Typically, they require at least 8 characters with upper case, numerics, special characters, lower case etc. Few of the passwords on the most used password list can be used in the standard corporation. If there is a concern, it is possible to add password filters to the Active Directory where new passwords are matched with databases of unwanted passwords, so they can be discarded before use!

Corporate passwords are not easy to guess!!

Myth 2: Fast computers can decrypt passwords when the user repository is stolen

We have seen and read about a lot of situations where user repositories with passwords have been stolen, directly causing massive data breaches. But when have you read about a corporate Active Directory being stolen?

In theory (and then in the real world too) a bad guy with the right privileges can make a copy of the AD including the password field. The problem for the bad guy is that the password is represented by hashes made from encrypted data. The principle governing passwords in the AD is that it is not possible for anyone to decrypt a password. The AD only wants to say YES or NO when asked about a password! No-one can get a valid password from the AD.

So, when the bad guy has the copy he must figure out what the different hashes are in clear text. It's not impossible that a superfast computer, given enough time, can get a password right. The problem is that it doesn't give a model to use for all the other passwords. So even with super-fast computers it will take a very long time to guess the passwords.

The fundamental solution is of course to prevent that copies can be copied or stolen, or anyway to make sure that if something like this happens, then an alert system reacts. This will allow all users to reset passwords before they can be guessed.

This myth is simply not realistic for corporate Active Directory user repositories.

Myth 3: We can guess the account's password by attempting multiple times with a fast computer

This is probably true for some password protection on the web. But this is not how it is in the Active Directory protecting passwords. When a user has tried to open an account 3 times, the AD locks the account. It might open it again after some time, but will then lock the account after 3 more attempts. Depending on the configuration, the account will pretty soon be locked in a way that only a user with privileged passwords can reopen it. This can't be done by a computer attack, and you will never get any volume to make it realistic per account.

You can't guess an AD password through indefinite trial and error!

Myth 4: Man-in-the-middle can copy the password for his own use

When the user changes the password, the bad guy can steal it during transport to the Active Directory. The problem for the bad guy is that for users on the AD domain, the password always travels encrypted. The Windows PC encrypts the password before it is transmitted to the domain controller. The domain controller forwards the password encrypted to the AD.

Furthermore, all decent domains are heavily protected from any outsiders' attempt to intercept domain traffic. In the same way, external traffic to the domain will be protected in similar ways as for the domain.

Even if the bad guy should be successful in obtaining an encrypted password in transport, he can't get any help to decrypt it, as he will only have very few attempts to test before the account is locked.

The middleman can't decrypt the password.

Myth 5: It is easy to trick users to replace passwords at a website

This is the model used by Russia towards the Democratic party in the USA. Users were asked to replace their passwords at a new website, and then this website updated the user's account, so the user actually did get the new password, but the Russian website now had the same password as the user.

This website is on the external net. No decent corporate security environment will allow any external service to reset a password if it is not approved.

So, this model might work against a standard web user repository, but not against a well-protected corporate security design.

Phishing attempts will not work against a well-organised Active Directory.

Myth 6: Users write their passwords on sticky notes available for colleagues to find

This risk is real and is a long-standing tradition for some users. The remedy for this might be to give users a data vault or self-service for password reset. As most organisations change the password every 3 months or so, there is a real risk that users might not update the data vault. A self-service solution with multiple authentication methods solves the issue. Only when the user actually forgets the password will he use the self-service, and with multiple authentication methods he can comply with the requirements every time (multiple methods like SMS, Microsoft authenticator, smart-card, challenge questions and others).

If it's easy for users to solve the forgotten password issue, then the need for sticky notes disappear.

Myth 7: Passwords are expensive because of service desk costs and lost user productivity.

Not only is security a concern regarding password issues. Productivity and costs can be a pain too.

According to many surveys it is estimated that 25% of all contacts with an internal IT service desk are password related. This is a cost for the service desk and might be a considerable cost for the end-user department too. If the problem is outside normal business hours, it might even take a long time before the user gets his new password!

According to Gartner research, the average cost of an end-user transaction for the service desk is $16.30 in 2017. This can be related directly as a cost for passwords (Gartner document: G00341784). Our experience is that an average user with only the AD passwords for corporate use forgets one password per year. (It's an average between some users never forgetting a password and some users forgetting many passwords each year!!)

It is however possible to replace the service desk with a self-service solution, where costs can be reduced dramatically. As an example, the cost per password reset/unlock at the FastPassCloud (a complete corporate password self-service solution) for a company with 5,000 users is less than 5$. Internal costs are minimal for running the necessary local connectors.

Some might argue that a manual password reset process is shorter and cheaper than the average of $16.30. This is correct for many service desks. The real question is however: 'Why is the password reset transaction light today?' It is only a light transaction if the service desk doesn't carry out a thorough authentication of users calling for a password. The critical item is authentication of the user, and this can't be done quickly or easily! With a robust and secure authentication process password resets are not lighter than the average service desk transactions, and the Gartner numbers can be used as reference.

With an annual cost of +-5$/user, passwords can compete with the costs of most alternative authentication methods when all cost elements are included.

Summary of password myths

The myths concerning the risks of passwords are primarily related to web-based applications for 'unknown' users. For most corporate systems with acceptable security protection and modern Windows systems, the myths simply don't apply. Microsoft and other vendors obviously know the myths and the risks and have developed intelligent protection against attacks on individual users' passwords.

Adding additional protection with intelligent password filters, self-service of passwords, SIEM and perhaps data vaults will make password thefts from the Active Directory environments practically impossible in the real world!

Does this mean that there are no threats to passwords in the corporate environment? Unfortunately not; there is one reality which is under-exposed:

Reality: Privileged users, with privileged passwords to reset end-user passwords, can get access or give away access to the bad guys to end-users' accounts!

The most common situation is a service desk where all service desk analysts have privileged passwords. If it is a large enterprise, we might talk about +100 analysts. Many of these have a low seniority and perhaps a low loyalty to the company. This might indeed be the case if the service desk is off-shored and there is no relationship to the mother company. With such a group we have the risk that they might accidentally, unknowingly or willingly give away passwords to real users' account.

Research by the Service Desk Institute in 2018 found that 83% of all service desk managers agreed that it is possible for a 'bad guy' to get a real new password from their service desk!!

This is the primary risk with corporate passwords that CISOs and service desk managers should focus on. 'How can we make a secure IT workflow that makes a secure authentication of end-users?' At the same time the workflow must be the only entity having the necessary privileged password for all personnel in the service desk. We need to remove the privileged password from all the analysts.

You will always have a few infrastructure specialists having the necessary privileged rights, but this should be a group of select and senior employees with an intelligent monitoring of their activities.

Positive sides of passwords for corporate use

• End-users expect passwords to be part of the log-in process. The lack of a password might case end-users grave concern that the system or application is not secure.
• You can't force the password out of the user's head! If a token is stolen it can be used.
• There is no cost to the actual use of passwords. Data vaults and tokens are relatively expensive per user!
• If someone steals your password you can get a new one! If someone gets a copy of the digital picture of your fingerprint, how can you get a new finger?
• If you forget your password it's easy to get a new one. If you forget your smartphone, what is your alternative log-in process until you get it back or get a new one?

Conclusion:

Passwords for corporate IT users can be well protected with low risk for credential theft. Practically all credential types can be broken by criminals. For sensitive and critical information, the assets must be protected by multi-factor authentication (MFA). In a model with MFA then something we remember (= password) is a meaningful and strong component.

Most of the myths against password security and costs are not real and of relevance when we look at the end-user use-cases for a professional corporation.

It is however important to observe that best practices for the use of passwords are followed. This includes password policies, a self-service portal for password resets, multi-factor authentication and a workflow for the facilitated password reset process.

For more information and inspiration for your corporate end-user password processes please contact www.fastpasscorp.com