The U.S. Government Suddenly Gets Serious About ‘Dangerous’ Passwords
Many years ago, I declared war on passwords or at least engaged in an ongoing information campaign against poor password hygiene. This comes as no surprise to anyone who regularly reads my articles, of course. However, what surprised me was discovering that I finally have an ally in the U.S. Government, which has suddenly taken dangerous password practices very seriously indeed.
It’s been a long time in coming. Still, the Cybersecurity and Infrastructure Security Agency (CISA), which is under Department of Homeland Security oversight, has warned businesses that relying upon passwords alone can be “exceptionally risky” and advised this should be “avoided by all organizations.”
Single-factor authentication goes on the government naughty step
On August 30, CISA added the use of single-factor authentication to the official bad practices list. Using such authentication alone, a username and password, in other words, is bad for all businesses, CISA says, but particularly so for those systems that support critical infrastructure operations. The agency warns that doing so “is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.”
What is even more surprising is that it’s taken until now for such a dangerous security practice to get added to that list is, and I hope you are sitting down; it only joins two other entries. Look, I appreciate that CISA admits the naughty step list “does not include every possible inadvisable cybersecurity practice,” but just three entries?
The other two, for your information, are not to use end-of-life or unsupported software and the avoidance of known, fixed or default passwords. All three entries are stated to be “especially egregious” if done so with tech that’s internet accessible.
Multi-factor authentication for all the things
What is good practice, no matter what kind of organization you are, and applies equally to individuals, is to multi-factor authenticate all the things.
Multi-factor authentication (MFA) is, as the name suggests, the use of a mixture of different authentication methodologies from different categories. It used to be the case that there were three generally accepted factor categories: knowledge (what you know), possession (what you have) and inherence (what you are). But two additional factors can now be added in the shape of location (where you are) and behavior (what you do).
Let’s take two-factor authentication (2FA) as an example, as most people probably best understand this. This is usually applied using the knowledge factor through a username and password, supplemented with a secondary possession factor such as a hardware key, smartcard or one-time code delivered by an app. The latter is interesting because this can also offer a third factor for valid multi-factor authentication in a ‘buy one get one free’ way. If the app that delivers the one-time code needed to authenticate the user login is on a smartphone, specifically a smartphone requiring facial or fingerprint recognition to access the app itself, then inherence is also present.
What difference can multi-factoring all the things make, you may well be wondering? CISA cites research from Google that suggests quite a lot, actually. That research showed that just by adding another authentication factor, in this case, a recovery phone number to a Google Account, a staggering number of attacks could be blocked. Google said up to 100% of automated bot attacks were prevented, 99% of bulk phishing attacks and even 66% of ‘targeted attacks’ against account holders.
Are password managers now passe?
I reached out to someone who knows a fair bit about the role of passwords and authentication management when it comes to good security practice, Adam Caudill. With 20 years of experience in security and research, focusing on application security and secure communications, Caudill is currently the director of security at 1Password. As you would expect, he agrees that using MFA everywhere it’s supported is one of the most accessible and impactful security investments you can make. “It’s low friction for you,” he says, “and makes the job of an attacker much harder.” Indeed, of all the end-user security improvements he has seen, Caudill told me, “MFA has the best return on a remarkably low investment, both in terms of time and money.”
So, does this mean that password managers such as 1Password are, well, passe? “On the contrary,” Caudill insists, multi-factor authentication “shows the value of full-featured password managers, as they make it simple to use MFA and sync between devices, so it’s easy to log in from any device.”
I agree, and there’s also a point to be made that, as authentication becomes arguably more complex, then password managers have an even more significant productivity impact. “It’s important to understand that a password manager has more than one role in a user’s life,” Caudill concludes, “it not only keeps them safer, but it helps them be more productive and avoid downtime.”