CESG and CPNI put passwords back in the spotlight. Have they got it right?

On the 8th September CESG and CPNI published their advice for simplifying how passwords and password management is handled.

The full PDF can be found here, and the executive summary can be found here.

After a review of the seven tips I think that some of them make sense, some less so, here’s why.

1. Change all default passwords

This one is nice and simple, and there’s no arguing with it, there’s no reason or excuse to maintain out of the box default credentials.

2. Help users cope with password overload

This tip is nice because it raises the issue of multiple passwords and password re-use. It recommends using centralised password management, which is good, but it says that regularly changing passwords is a bad idea. We’re not 100% sure on that point, as it gives a measured window on how long compromised credentials can be used.

It also says to allow individuals to use password managers which I’ve been a fan of since the year dot. There are plenty of choices here from Dashlane, LastPass, KeePass etc. They can create and store rafts of complex passwords without the need to remember each one. It’s a good idea to keep personal and business passwords in separate vaults as this reinforces the segregation of the two and prevents re-use.

Although this tip mentions password re-use it doesn’t go into much detail about the implications. Remember the TESCO clubcard incident in February last year where over 2,000 accounts were compromised? That was enabled purely by customers re-using the same credentials elsewhere with services and sites that had been compromised. If they hadn’t re-used passwords that attack could not have happened.

The Uber attack in March this year where accounts were compromised and being sold for $1 a piece was possible because of an Amazon breach. BUT the attackers found that many people with Amazon accounts used the same credentials for Uber, giving them full access.

This tip also says that password resetting should be “easy” without giving any advice on securing password reset schemes.

Do not share or re-use passwords. That’s simply sound advice.

3. Understand the limitations of user-generated passwords

This is an interesting point. When users get to choose passwords for themselves they are usually weak and/or easily guessable. The advice here is to resist automated guessing attacks with account lockouts, and throttling failed attempts. Compared with enforcing complex passwords this can been seen as a move away from conventional wisdom, although they counter that by recommending the blacklisting of weak passwords and user awareness/training.

I have very mixed feelings about this. A complex password is a set thing, whereas training and what defines a weak password are hugely subjective and vary in quality.

4. Understand the limitations of machine generated passwords

This one seems like a redundant tip. If you’re sensible and use a password manager that can generate long, complex passwords for you to use then what is the issue?

Also, they’re only looking at password brute forcing in terms of guessing from the service, but there’s nothing about cracking the hashes (which is where CVC schemes and correcthorsebatterystaple are weak).

5. Prioritise administrator and remote user accounts

This is a no-brainer and completely on the money.

6. Use account lockout and protective monitoring

Again, this is a wise tip. Use throttling and account lockout, Allow 10 login attempts before locking out, monitor brute forcing, blacklist passwords.

I do need to introduce a word of caution about aggressive lock-out though. This can be abused to create a DoS attack by deliberate lockout, particularly for internet-facing systems.

The key here is rate-limiting. Simply slowing down a brute force attack enough will make it ineffective. Hence, a time out (3 strikes, lock out for say 5 minutes, then auto unlock) may be wiser.

However, think carefully about the system you’re protecting. What’s an appropriate policy? If it’s an e-commerce site, you’ll deter customers from buying if you have an aggressive lockout. However you should be much more cautious about high privilege remote access to your corporate domain!

7. Don’t store passwords as plain text

This starts out well, I mean who in their right mind would store plain text passwords? However this tip doesn’t go far enough. Yes, hashing and salting is good practice and they suggest crypto in the form of SHA256, but why not just go straight to scrypt or the arguably stronger bcrypt?

Two factor authentication gets a mention in tip 5 regarding remote users, but it could just as well be mentioned here too. Even if you have a (bad) situation where passwords are being stored in plain text, or users have chosen weak passwords etc. 2FA would dramatically reduce the chance of a password compromise, unless the attacker already has your mobile phone, but by then it’d be game over already, right?