Why two-factor authentication should be your organization’s New Year resolutionThursday, January 26, 2017
Enter your (easily cracked) username and password please...
The combination of a username and password has long been the standard method by which computers have granted access to their users. By now, nearly everyone who uses a computer is familiar with the challenges of that combination. Simple passwords that you can remember easily increase the risk of exposing your sensitive information to others. Hard ones lessen that risk, but are also hard to remember. Then there are issues with how often passwords need to be changed, or how closely they can resemble previously used passwords.
The list of problems with username/password authentication is substantial, but so far most organizations have believed that the benefits of using them have outweighed the risks...risks which can be reduced by:
- lengthening passwords,
- making passwords more complex by adding capital letters, numbers, and symbols, and
- compelling users to practice good password hygiene.
A combination of bad password hygiene and faster hacking software/hardware
Good password hygiene means that users are not to share passwords, write them down, use the same or similar password for different accounts (especially across work and personal business), or store them electronically without encryption. But now the risks underlying these beliefs have substantially changed, and unsafe password habits are becoming much more problematic as the growing number of accounts a user has to manage continues to grow.
Simultaneously, the speed and power of computing and the sophistication of password cracking software continue to increase/improve. Though more recent information exists, this 2012 Ars Technica article provides compelling data about the power of recent password-cracking technology. It discusses building a machine using off-the-shelf parts that can attempt every possible password in a typical Windows enterprise environment in an offline attack in roughly six hours. If one of your users was a victim of the recent large password breaches at Yahoo or LinkedIn, and maybe that user isn’t exactly following the rules of password hygiene, your whole enterprise network is now at added risk of compromise.
The username and password combination is fundamentally less secure than other methods because it relies only on information that a user knows, making it an increasingly large liability. In addition to something a user knows, more secure authentication relies on something a user has, something a user is, or all three. Two-factor authentication refers to the use of two of these three categories of user properties for authentication. So far, this type of authentication has been largely the domain of organizations dealing in national security.
An evolving threat landscape
In addition to threats posed by poor password hygiene and faster computers, your organization last year almost certainly received a phishing e-mail, and someone in your organization almost certainly followed it and entered their credentials into whatever credential-harvesting website was at the end. This has been our experience when we conduct phishing testing for clients and, as you’ve probably read in the news, this has been the experience of government agencies at every level in the United States over the past few years.
If those on the receiving end of the credential-harvesting websites are intent on causing you pain (as has often been the case with those phishing government agencies), they now have the ability to do so regardless of the length or complexity of your password. That’s why the National Institute of Standards and Technology (NIST) is revising its “Digital Identity Guidelines” (S.P. 800-63) to require two-factor authentication, and many experts are advocating for it, as well.
If you choose to keep your passwords for authentication, remember that it takes ten minutes to crack a six-character, lower case password, but three years for an eight-character password and 44,350 years for a nine-character password. However, these longer, more elaborate passwords only work if your employees are using them. PHA's password audits help clients get a handle on which employees are following good password practices.
As we move forward into 2017, we're noticing that methods of providing two-factor authentication continue to improve while costs continue to fall. We believe this combination of circumstances makes this the year that your organization should consider dumping passwords and implementing two-factor authentication. In the meantime, contact PHA for affordable phishing testing and password audits.
Writer: Joe Beckman, 765-496-1911, firstname.lastname@example.org
Tags: Health IT Security