Myth busted: Complex passwords aren't hard for hackers to break

Holes are starting to show in existing password frameworks, especially as cybercriminals are using new tools to crack user credentials.
By Jessica Davis
06:05 AM
Share
password hacking

There are dozens of frameworks and guidelines when it comes to password-protections. Many organizations tell employees to vary characters and capitalization, while other IT teams require staff to update passwords on a set-cycle.

In fact, some organizations still keep on file the password guidelines distributed by NIST in 2003.

But here’s the thing: The man who invented the password system, Bill Burr, now 72-years-old, told the Wall Street Journal he actually regrets having designed it.

[See them all: 10 stubborn cybersecurity myths, busted]

Fortunately, NIST overhauled its password guidelines in June 2017, which reversed many of the recommendations Burr made in his initial system. The new framework removed the recommendation to periodically change passwords and complexity requirements and added a requirement to check that new passwords aren’t compromised or commonly used.

Taking these updates a step further, it’s important to note that the password system was invented before technology became this advanced.

“Passwords are not a security measure and weren’t designed to be,” said CynergisTek CEO Mac McMillan. “Passwords were about access control measures, to verify a user is authorized to do what their profile is attempting on the network.”

In fact, McMillan said it’s time for passwords to go away, as even “16-character passwords can be cracked by hackers in less than an hour.”

Not only that, but hackers can easily compromise user identifications. McMillan said that if you look at past breaches over the last few years, hackers exploited the network by simply getting a hold of a user password or elevated privileges to do significant damage. Hackers were able to do that by just using passwords.

“I’ve seen incredibly sophisticated passwords broken by hackers using out-of-the-box software,” ICIT Senior Fellow James Scott said. “The password is not enough nowadays.”

Instead, organizations should be leveraging identity management solutions, which Scott said are akin to a more evolved form of usernames and passwords. The system ensures that the right people are accessing the right part of the system, based on credentials.

There are many versions of the automated system, which initiates, captures and manages user identities and related permissions. For example, some organizations provide employees with a physical smart card in combination with a token.

Identity management should also contain a centralized directory of these permissions, which should be updated immediately after a user is no longer employed with the company.

"If you really want to protect your assets, use multiple factor identification," said McMillan. “And let’s get rid of elevated privileges and passwords all together.”

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com