The evolving threat landscape
In the past, the perimeter network was considered the largest attack surface for organisations. Well-configured firewalls used to sufficiently secure a network, and threat actors would spend their time sending empty handshakes to every port in an intelligence gathering process known as enumeration. However, with the rapid evolution of cyber threats, humans have proven themselves to be weakest barrier to entry and Identity and Access Management (IAM) has now become the primary target.
The shift towards remote work and cloud services has further expanded this attack surface, making traditional perimeter defences less effective. In this changing landscape, Identity and Access Management has become the frontline in the battle against cyber threats, with a focus on securing user identities and access to critical systems.
Cybercriminals have quickly adapted, employing advanced techniques such as spear phishing, social engineering, and credential stuffing to breach defences and gain unauthorised access to sensitive information. Modern security frameworks developed to address these issues such as the Zero Trust model, relying on the principles of Just In Time (JIT) and Just Enough Access (JEA), can only do so much to reduce the risk of credential compromise and secure an organisation’s network.
Despite the implementation of sophisticated security measures, the human tendency to create “elephant paths”, take shortcuts and prioritise convenience over security makes people the prime target for cyber-attacks. This inherent flaw in human nature is exploited by attackers who understand that the easiest way to breach a system is often through its users. The reliance on passwords, which are frequently reused across multiple accounts and easily guessed, further exacerbates this issue. As a result, humans remain the weakest link in the security chain, and their own desire for convenience undermines even the most robust security frameworks.
Changing guidelines for authentication and lifecycle management
Previously, NIST Special Publication 800-63-2B Digital Identity Guidelines recommended rotating passwords at least once a year to minimise the risk of exposure from leaked credentials. However, advancements in technology, such as Microsoft Identity Protection, now monitor the deep, dark, and surface webs for leaked credentials, lessening the need for password rotations and facilitating recent changes in guidelines.
NIST’s latest amendments in Special Publication 800-63-3B Authentication and Lifecycle Management Guidelines now recommend against organisations imposing mandatory password rotations unless there is a credible risk of credential leakage. This shift reflects the evolving understanding of password security and the importance of balancing security with user convenience. Continuous monitoring and adaptive authentication methods are now preferred, as they provide real-time protection without the need for frequent password changes.
Passphrases and their protection against common attack methods
Passphrases provide additional protection against common attack methods such as brute-force and dictionary attacks. A dictionary attack involves using a precompiled list of words to guess passwords, often sourced from leaked password databases such as the infamous rockyou.txt containing the plaintext passwords of 32 million users exposed in a data breach from 2009. Due to it’s popularity amongst enthusiasts, professionals and cybercriminals alike, rockyou.txt has been continuously updated to include passwords leaked in all further data breaches, with rockyou2024.txt containing over 10 billion unique passwords. Your password is likely included in this wordlist, check for yourself using haveibeenpwned.com/Passwords to see if your password has ever been leaked in a data breach.
Other brute-force attacks involve wordlists generated on demand by programs such as John The Ripper, using basic information about the target like their name, birthday or company, to instantly generate thousands of variations of possible passwords based off the targets personal information. These types attacks exploit the tendency of users to choose simple, common words as passwords.
Passphrases mitigate this attack method by combining multiple words into a single, longer phrase. The increased length and complexity makes it significantly harder for attackers to guess the passphrase using dictionary attacks and programmatically generated wordlists. For example, a passphrase like “YellowLampBathroomMug” is much more secure than a single word like “P@55w0Rd”, passphrases should also include spaces and special characters, further enhancing their security through introducing more entropy.
The importance of entropy
A key component of password strength is the level of entropy, or randomness, added to the password. Entropy measures the unpredictability of a password and is crucial in password security because it determines how resistant a password is to various attack methods.
Higher entropy means more possible combinations, making it exponentially more difficult for attackers to guess or crack through brute-force methods. Research shows that password length is the primary factor in it’s security, as the concept of password complexity is only complex to humans, while password cracking algorithms experience no difficulty iterating through all possible variations of short passwords. For instance, a password with 20 bits of entropy might be cracked in minutes, while one with 60 bits of entropy could take centuries.
The challenge of managing secure passwords
A single complex password is not enough to secure your identity online. If a website you’ve signed up to manages user data improperly and experiences a data breach similar to the RockYou breach mentioned previously, threat actors will attempt to use your leaked credentials to access every service and website they can think of. A data breach from an insecure and seemingly insignificant website could quickly lead to your personal email account being compromised, from there attackers can systematically compromise all of your significant online accounts such as your banking or personal health information.
While online password managers appear to offer a convenient solution to manage your ever growing list of unique and complex passwords, they only serve to provide the illusion of security rather than truly secure password management. LastPass, the market leader in password management software, has experienced multiple significant data breaches in 2015, 2021 and 2022, highlighting the vulnerabilities of storing passwords online. The challenge lies in balancing security with usability, ensuring that passwords are both strong and memorable, allowing for them to never be stored or written down anywhere. This is where innovative approaches like Password Logic come into play.
What is Password Logic?
Password Logic allows you to create unique and secure passwords on demand without needing to write them down or store them anywhere. By applying your personal algorithm, you can generate a new password each time you log in to a service, ensuring high entropy and security.
Consider the points outlined below and develop a password algorithm for yourself
Use a combination of 3 – 4 words in your passphrase.
One word remains constant across all passwords.
At least two words should vary depending on the service or website. Service-dependent words could be the name of the service or the first letter, the type of service or the colour of the brand.
One of the words is jumbled, meaning its characters are replaced with numbers or symbols that visually resemble the original letters. Jumbled words should also include a random mixture of lowercase and uppercase letters, maybe every second or third alphabetical character could be uppercase in your algorithm.
Special characters should be included at least once in your passphrase. These can either be constant or service-dependent. Place special characters before or after any of the words in your passphrase, but consider that adding additional entropy is key to password strength.
Consider the added security of slightly changing your password algorithm for more significant services. Maybe the first service-dependent word is jumbled in your social media and entertainment passwords, while your passwords for banking and healthcare jumble the second service-dependent word, maybe the special characters and their location in the passphrase is changed for the more significant services.
Using these guidelines you might develop a personal password algorithm that looks similar to the below examples:
- Facebook: Sunshine?50c1@Lbluef!
(Constant word – Special character – Jumbled service type – Brand colour – First letter of brand – Special character) - Facebook: f@C3b00Ksocial!Pineapple?
(Jumbled brand name – Service type – Special character – Constant word – Special character) - Netflix: !entertainmentPikachur3Dn?
(Special character – Service type – Constant word – Jumbled brand colour – First letter of brand – Special character) - Netflix: red?n3TfL1x!Perfume
(Brand colour – Special character – Jumbled brand name – Special character – Constant word)
The goal of implementing a password algorithm is not to make your password completely immune to compromise, but instead aims to remove your password from the wordlists used in brute-force attacks, and to significantly increase the difficulty of compromising other accounts if one of your passwords is leaked in a data breach.
Use haveibeenpwned.com/Passwords before and after developing a password algorithm to determine if Password Logic has helped to keep you safe from the leaked password databases used by attackers.
Conclusions
As cyber threats continue to evolve, so must our approaches to security. Password Logic offers a practical and effective method for managing password complexity, leveraging personal algorithms to create strong, unique passwords that don’t need to be stored anywhere. By understanding and implementing these strategies, individuals and organisations can enhance their security posture, reducing the risk of credential compromise and protecting against the ever-growing array of cyber threats. Embracing innovative solutions like Password Logic is essential in the ongoing battle to secure our digital identities and maintain robust cybersecurity defences.
