Passwords14: The Dust Has Settled – What Did We Learn?

By Shiri Licht

Passwords14 is in the rearview mirror, yet the debate over how we handle passwords rages on. Should we accept weak passwords for trivial use? What action do we take in light of 1.2 billion passwords being stolen by a crime syndicate? How do businesses handle sensitive, privileged account credentials? As our research has shown, privileged-based breaches are now a major influence on larger security strategies.

An interesting approach to the password problem was presented during Passwords14 – the “Pavlovian password management” system. The idea is to provide incentives for users to choose stronger passwords, leading to the creating of a habit that hopefully will last over time.

The core issue tackled in the presentation is the trend for people to use easy-to-remember passwords that they can rely on for an extended period of time. The belief that there are simply too many passwords required for daily life, personal and professional, to not rely on a scheme, puts personal data and business data at risk.

The basic tenet of the Pavlovian method is that the user gets rewarded for good behavior, which is the choice of an effective password. There are a couple factors at play for what’s considered ‘effective’, including character choice, length, change-schedule, etc. Further, these attributes are related. If a password is less complex, the change interval will be shorter. Conversely, as a password gets more complex, the user will need to replace it less frequently. While this is a good start for personal accounts, it is not enough for business use.

Users will be able to game the system. The user will want to get the highest score by creating the strongest password and will get incentives in the form of less frequent requests to replace complex passwords. Yes, this method will lead (hopefully) to the creation of more complex passwords, however it will exacerbate the memory problem. Password template use will very likely increase as a means to remember these new, longer versions. Or users will write them down. For the same reason, there is also the danger of password reuse across multiple accounts.

Organizations need a better solution to protect key passwords – such as privileged accounts that control the access to their most sensitive assets. An automated password management tool is essential for making privileged account credentials as secure as possible. Once deployed, the level of complexity and randomness of managed passwords becomes much higher than if left to individual choice, while eliminating the memory problem. This also makes it possible to protect the passwords from malware that collects passwords through key logging, screen-capture and other means of intercepting passwords.