Passwordless authentication is the future, no doubt about it. It increases security, retires the concept of phishing and provides excellent customer experience. No more remembering complex passwords, typos, frustrations that your account is going to be locked out after three consecutive tries.
While we are waiting for passwordless to be implemented widely, what’s the best approach?
Sadly, I didn’t manage to come up with anything new, but I started to observe the world around me, the customers, their battles, various breaches documented publicly and lastly myself, as an example of a user.
Start using a Password Vault
Keep your passwords safe by using a protected password vault. The vault stores usernames and passwords for multiple applications in a secure location and in an encrypted format.
All you need to do is create and remember one master password that unlocks the vault. I’d like to refer to those type of passwords as pass-phrases instead, as they really need to be particularly strong. There are methods of making complex pass-phrases easy to remember – for as long as it’s one (few), not many. Let’s look at one of them. It’s really easy to remember a sentence: ‘I was born on the 5th of November 1975 in London.’ Anyone can memorise this using their own data in seconds. So, the first letters (and then some) of the sentence would be <Iwbot5thoN1975iL.> Load it into this tool and you will realise it will take hmm… infinity to crack. Well, we can argue and think about a distributed brute force attack, using arrays of compute… but the bottom line is – it’s not practical. Quantum computers will change that, but for now we’re safe. If you’re interested in learning how to create a strong password or even better – use a passphrase, google it, there’s plenty of tutorials available on line.
Do I still need to be creating passwords myself
Not anymore. You have created your master password, which is strong – long (but not necessarily complex), pseudo random (remember there’s always some logic). You open your vault with it, so what’s inside the vault, you don’t really care about anymore. The vault software (in most use cases) will paste your username and password into the browser, which kind of gives you this passwordless experience, after all, you don’t need to type it in anymore. In fact – you don’t even need to remember it anymore. The vault will allow you to generate random passwords for your sites (like banking website or an on-line shop) with a complexity criteria you desire and from now on your passwords look like some sort of ciphers.
The modern browser solutions will automate this process for you in an easy way, detect username, passwords and secrets fields and prompt you if you want to generate or add a new password to the vault.
Increase your Password Strength
You have probably heard the terms password entropy and strength. The National Cyber Security Centre (NCSC) recommends using long instead of complex passwords. An 8-character password containing lower and uppercase, numbers and special characters is nowhere near as strong as a 16 character all lowercase secret. That’s just maths and the difference is quite radical. This approach combined with Multi-Factor Authentication is hard to crack. But if you use password vault, this burden is taken off your shoulders. After all – you only need to remember one password (pass-phrase) for the vault. You sites passwords are complex and beyond the perception capability of most of us.
Is it safe in the wild west of public cloud infrastructure
Well, it depends on the solution, but in general it’s a resounding yes. Most of us all heard about Zero Trust model, enter Zero Knowledge model. Zero knowledge means that the information is encrypted on client side, in our case on our laptops, desktops, mobiles or tablets. Through a clever combination of symmetric and asymmetric encryption, it can only be decrypted by ourselves through entering the master password. Remember – it’s encrypted and decrypted locally – your encryption keys never leave your device. If you forget your master password, well… you are in trouble, even the vendor won’t be able to help.
What’s the worst that can happen if the vendor suffers from a breach? A bunch of meaningless data leaks to the Internet, so really… nothing worth losing sleep over. In fact nothing happens.
The benefit of using cloud to store you data is that the vendor will have a backup and DR strategy, so the availability and durability of your data is extremely high. Way beyond what you can technically achieve at home in a cost-effective manner.
You also benefit from the ability to be notified if your password has leaked in the past. For example if you opt in for an old secret that leaked, the vault software should let you know and advice against it. Don’t worry – that check doesn’t mean you need to send the password in clear text server side, there are ways to do it in line with the zero knowledge concept.
Another advantage of cloud based vault software is around phishing. Most if not all cloud vaults use the URL to catalogue the passwords. If you click on a malicious link, that takes you to a copy of a genuine website, your credentials won’t be automatically populated into the login form – that’s a red flag, which should prompt for a careful consideration whether to proceed or not.
Is vault in cloud expensive?
It isn’t. You can find free versions, but it you want bells and whistles, multiple types of devices (laptop and mobile or tablet), you are looking at £3-£6 a month for the whole family.
What other types of password vaults are there?
Browser based, which are in the form of plugins. The data is stored locally on your laptop or mobile/tablet, but it’s still encrypted using the same principles I described above.
Application based, which are installed into your computers. They’re typically what I call off-line password vaults, as you need to open it and copy/paste into the browser, there’s no automation if no plugin is available.
Back-up your local password vaults
If you use a local solution – you need to backup your vault and store it on a durable media (that’s another thing we normally don’t do…). And if you forget your master password, you might as well go and start the password recovery procedure with each system you stored credentials for (long live SSO!).
What should I look for when I choose the solution
In my personal opinion, remote based solutions (which mostly are cloud based) are the most flexible. You don’t need to carry anything to get access to your key store. Choose a solution that implements ‘Zero Knowledge’ concept though. Cloud + zero knowledge has to go hand in hand. If MFA is offered to get into the vault – use it.
What should I do from the perspective of protecting my business
There are few things that you can do to improve the security posture of your business and actually add value to it, apart from an obvious one of deploying an SSO solution. At the very least you can influence your employees to use random, machine generated passwords and password vault software. Do your homework and recommend a solution to take the guessing burden off your users. At best you will enforce it via the security governance, a policy, a standard and a procedure. You would choose a solution and add it to the standard suite of applications that your users are allowed to use. In any case, educate your users and make the training relevant, use interesting examples, make security fun!
Additional cost of few pounds a month per employee is not going to ruin the revenue, but it will potentially allow you to go through the transition period stronger until we get passwordless authentication mechanisms everywhere. Not to mention a nice perk for the employees themselves, who from now on will have a secure platform to store their personal credentials and credit card data online.
To protect enterprise or administrator passwords, investment in a comprehensive Privileged Access Management (PAM) solution is essential. Such PAM solutions are much more than a Password Vault boasting automated password rotation without downtime.