Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Password re-use reflections from Passwordscon 2018

Daniel Andersson

Information Security Advisor and Consultant at CAPSAB
Daniel is a senior security manager in the banking and card industry; he has worked with PCI DSS since 2005. Daniel has a broad experience regarding implementation of PCI DSS.

Daniel also has an IT engineering background working with a broad selection of platforms and communication equipment.

Daniel is ISACA Certified Information Security Manager (CISM) and PCI Professional (PCIP) and certified Security Culture Practitioner.

After two days at the Passwordscon 2018 at Internetdagarna here in Stockholm one of the main take- away was the big problem of password re-usage, which boils down to the problem that a user has the same password on multiple accounts.

As an organisation it is not possible to control if an employee uses his “corporate” password in other places so a control mechanism would not be feasible to put in place. Looking at it from a technical viewpoint the work of Moritz Horsch, as presented at Passwordscon 2018, could be used. Mr Horsch has analysed 185 696 services and their password policies and has concluded that many services has a technical constraint in maximum number of characters in passwords. With this a password policy could be made to demand a password length that exceed this maximum, and the users would not be able to re-use their passwords. That would probably not add to the security level as the users would have a hard time to remember their passwords and due to this security issues would arise. Another problem with this is that all systems do not support extremely long passwords, as pointed out by representants from Sykehuspartner in their speech during day two at Passwordscon 2018.

So, what could then be done to address this problem you may ask yourself, the obvious answer is to change the culture of the users, to make them understand the value of not reusing their passwords.

This could be a specific topic within your security culture program or be tied into a more generic password/authentication topic, which would need to address a couple of areas, some would be

  • Why does a secure company account get insecure if my private account is leaked, what harm can this cause the business.
  • How can my private password be stolen
    • Explanation of password phishing attacks
    • Explanation of password database hacker attacks
    • Explanation of guessing passwords, brute force attacks towards sites with limited or no control over number of failed attempts.
  • Why is it secure to have the same password for all corporate account (only if a shared authentication services is used with a central password control).

It is also important that the employees feel that they have control over the password changing process, therefore it is important also to include practical examples of how a secure password can be constructed, with a focus on the company password policy and with the knowledge of that people are not made for remembering passwords!