Passwords & Passkeys

And Cybercrime Prevention

It’s that time of year again!? No, not the time you review your New Year’s Resolutions for practicality, or for searches about how long you can safely keep cooked turkey in a freezer. ??

No! This is the time of year that every IT service desk agent in the world hates with a passion.

This is the time when everyone tries to log back into their work systems on the same day using a password that either expired sometime during the festivities, or their recollection of it completely dissolved sometime on New Year's Eve.

If that sounds familiar – either as a service desk manager, or simply as a locked-out service desk user – then you may want to ask your boss if they know about the really huge and very scary business risk that such issues reveal? A very real exploitable business vulnerability that makes the effort in a thousand successful password resets look like child’s play?

This very real problem is that mandatory password expiry after some random number of days between 30 and 180 is a solution to a cyber threat from 20 years ago that itself is no longer your biggest business risk. ?The serious business risk now is that in 2024 you are wasting considerable support resources that your business so desperately needs to operate safely by still using a password that needs to be manually reset!?

Technology has moved on a lot from the year 2000. But if you are still following security principles from policies first drafted in 1999 without understanding how cyber risks to your business have evolved then we need to talk. This article is all about understanding what really matters to your business.

We have all heard about how we must never re-use a password, and that it must be strong, a zillion characters long, never based on a real word, and never, ever, contain the name of your first pet goldfish. Right??? Oh yes, it must also include at least one special character. My favorite special character is Batman. ?But whoever your special character is this is still just a text-based password, that can be written down, copied, or shared on TikTok.

The reality of business threats today is that correctly identifying and authenticating your users and administrators accurately and reliability is no longer a nice to have, it is at the very core of protecting your business’s future. Successful management of user identity is your very first line of defense in keeping cyber criminals out of your business, your bank accounts, your warehouses, your ERP, and your factories. ?

Typing in a password may be necessary for legacy systems, but if you have had to set your access protocols to plain text password to allow for the lowest common technical factor (NTLM?) Did your risk assessment really consider a single text password as being adequate to protect the real value of the assets behind the login that it enables?? And if it did, who signed off on the numbers you used in your value at risk calculations?

Is having a text based password manually reset by an IT service desk really adequate protection of assets in a world where SMS confirmation is so easily spoofed, where a free app can make you sound like Morgan Freeman (I would hate to be his bank manager!) or the paid version that allows you to sound like anybody you choose. ?Not to mention that with the right plugin you can also look like them as you use their voice on a Zoom call?

My point here is that if you need to restrict access to any digital asset, application or service to only the person or persons who are entitled and authorized to access it then a password on its own has not been a sensible or even an insurable choice for some time.? Use of a second factor with a password is well understood, modern security standards today call for Multi-Factor Authentication (MFA) where a second factor, often involving exchange of a time, device, and location encrypted digital token, or at a minimum a one-time code generated through that mechanism.

Although well understood, MFA however is not as well used or as well protected as it should be. Those of you that have been using an Authenticator app on your phone for a while will have noticed early last year that your request to approve sign-on now requires the exchange of a 2 or 3 digit number between you and the authenticating app.? Why, because cyber criminals found that if they could crack or steal your text-based password (Phishing attack anyone?) then a disturbingly high percentage of users would eventually just click “Accept” on their MFA app just to stop the alert.? Game Over.

Security must not only be effective it must be simple enough to be understood.? It must also be seen as a cybersecurity control.? Not just as something that the IT Service Desk can override or reset on request. A password lockout should be a security control point, but in many cases, it is often simply an annoying legacy service desk function because too many password only secondary apps could automatically try and connect, and it would only take one to not have its password changed to lock out the legitimate user.? In this context I could use ActiveSync as a synonym for an evil creature in the dark, as like vampires it is still very hard to kill.

These are very important lessons for the security system designers, if a cybercriminal can get you to turn off a security control for a VIP, simply by knowing a username and blasting fake login attempts, because it was not correctly designed or implemented to manage that risk, then the control has been defeated. ?The real trick here is for system designers to ensure that the users with the least patience for obstructive technology are not made into crash test dummies for new technology but are still motivated, monitored and protected against criminals.

If your users or administrators have a phone that can run an authenticator app then as a security system designer, you could remove the need for them to ever need to create or enter a password manually again.? The principle here is called PassKey, where any correctly configured web or desktop application being run on a device that can connect to your phone, or even run on your phone, can automatically create a unique encrypted authentication key – a passkey – just for that device or application on that device.

PassKey adds several levels of serious encryption level protection between and ordinary or high-profile targeted user and the cybercriminal who wants to break in and steal or destroy.? Just remember that even though the protection layer is less susceptible to interference or attack any repeated or failed logins are no longer IT service issues, they are primary security events that need to be monitored, understood, and responded to.

If you have ever come across a login policy change that set allowed password attempts to 50, with a lock out for 15 minutes but at no time logged a security event, you have come across an open fraud opportunity.? You probably recognize the dubious business risk governance that allowed such a policy to be approved, but hopefully you discovered it before the bank called about all the empty accounts. (IMHO Repeated password linked authentication failure events should always have been security incidents, but that is another story entirely).

?Reliable, flexible and robust automated Passkey based authentication is something that you should be considering as part of every new business platform.? It even makes sense as a customer login feature for online apps. ?Shared accounts that access financial, commercial or personal information are no longer legally acceptable in many jurisdictions, but beyond that ensuring that only the people whose credentials you know and have permission to access a resource are able to do so, and that any attempt to compromise such credentials is detected, and that access location, behavior, and cadence are monitored and tracked is a good place to be.

Meanwhile, if you still have old school legacy passwords in use there are a few things you can consider that might reduce their risk a bit.? No logon process intended for a human user should accept unlimited full network speed attempts.? Set a usable level, say five attempts in 10 seconds then add a delay. Log the event. If it is repeated flag an incident, at worst you are helping a confused user, at best you are preventing a brute force attack.

?Wherever possible use portals or gateways that support MFA access to protect your older systems from open internet access.? And if a network or system administrator reports that he has been locked out treat this as very serious. Even if it turns out not to be an APT payload going live, and it is just that a case of seasonally induced password reset disorder. It is always polite to help arrange treatment. For example, adding MFA to PsExec or powershell can almost totally prevent ransomware deployment after a successful phishing attack.

And remember, even though it is true that modern tech can crack the hashed password of any human rememberable string in a matter of hours, that is only technically possible for an attacker if they have already been able to steal your password database in the first place. ?Allowing access to a password database is considered very poor internal security. Even if the attacker can’t extract it, the cracking process requires also considerable processing power, even if they have been able to load their attack rainbow tables onto your server.? Monitoring what matters is a legitimate cybersecurity control. ?Checking that none of your Active Directory severs can even be seen from the internet should not need to be mentioned, but…

?

Happy New Year!? Especially if you are part of the back to work shift on the support desk!

??

Steve Jump?? January 2024