An organization’s Password Policy can make life difficult for the employees who are required to follow it.
Let’s say the password policy is this:
|Password Length – at least 8
Password Complexity – must be alphanumeric with symbols and a capital letter
Account Lockout – 3
Min. Password Age – 5
Max. Password Age – 30
Password History – 5
The password must be at least 8 characters long that is composed of mixed alphanumeric and symbols. You will have to change it every 30 days and you cannot repeat the last 5 passwords that you have used. In some organizations, you are even prohibited to use words that are found in the dictionary even if it’s only a portion of the password.
Now, the password policy is helpful to secure the accounts because this type of authentication is considered the weakest. Passwords can be cracked or guessed. That’s why complexity is the key.
However, human limitation makes complex passwords more vulnerable than secured. For instance, complex passwords may be hard to remember and users may just write it on a piece of paper. They might use the same password in his personal e-mail to his online bank account. Others will tend to request for a new password or keep on choosing “Forgot Password” every time he/she logs in. Because of the mentioned scenarios, the attack surface for a password attack becomes bigger.
In modern enterprise, a sub-team of the Information Security department is the Identity and Access Management (IAM). The group handles everything about user access such as passwords, privilege management, Single Sign-On (SSO) etc. Still, relying solely on passwords may not be as secure as it was before.
Different security companies or even departments started to become more creative in authenticating users. Others use biometrics while others use IP-based authentication or somebody-you-know (the one that Facebook uses) authentication. There’s not one perfect authentication method but a more secured one- which is implementing Multifactor Authentication (MFA). This type of authentication uses 2 or more kinds of authentication schemes such as:
ID and biometric (something that you have and something that you are)
ATM and PIN (something that you have and something that you know)
Can we implement two-factor authentication with a password that meets (or even goes beyond) the required policies?
The answer is to use a password vault. A password vault is an application that stores different passwords for safekeeping. It usually stores the username and the password together with the URL or application where the passwords are used. It also provides password generator so that it can randomly create password based on a given requirement. The password vault is locked by generating key or a master password.
I’m going to share two free password vaults that I’ve been using: Keepass (offline) and Lastpass (online).
- Keepass (https://keepass.info/)
Keepass is a stand-alone application where you can store your passwords for various accounts. You can add entries manually by providing a Title, User Name, Password, URL and Notes. There is also a Password Generator that can provide you random characters that fit for the password requirements.
- Free and lightweight
- Organized and simple
- More secured
- Limited to your implementation
- Not good in mobility
- It is static. You need to manually update the entries.
- No recovery of master password.
- Lastpass (https://www.lastpass.com/)
Similar to Keepass, Lastpass is another password vault. The only difference is that Lastpass is actually a web browser add-on. It works when you install the add-on and sign-up using your e-mail account. The e-mail is actually your login credentials to the password vault. You can manually add entries in Lastpass or it can automatically add entries when you log in a specific website. It can also automatically supply credentials when the recorded website is detected to login. All password updates are automatically reflected in the database. Furthermore, it also has a “Generate Password” feature similar to Keepass. Most important of all, you can implement MFA in Lastpass.
- Flexible and user-friendly application.
- Multi-factor authentication (MFA) can be implemented to complement Lastpass security.
- Lost master password can be recovered
- Can automatically save user credentials.
- Wider attack surface since it can be loaded anywhere just by signing in.
- Less secured compared to Keepass.
- Limited during online communication.
- Relevant known online vulnerabilities can affect the application’s security.
Multi-factor Authentication (MFA)
Buying an RSA token for personal use may not be the most practical solution in implementing MFA. SMS may be a good solution but delays in sending notification may affect performance. A real-time OTP generator may be the best solution.
There are a lot of OTP authenticator apps available. You can check on each and determine which app is compatible to the websites you are using.
I’ve been using Google Authenticator and Lastpass Authenticator for my OTP to complete my MFA. Both of these apps support a wide range of applications. For web applications that support MFA, you can enable it in the settings and choose Authenticator. Usually, the default choice is sending OTP through SMS. Afterwards, the Authenticator will scan a QR code of the web application using the camera of your smartphone to sync. The account for the application will automatically be added in the Authenticator.
It is important to enable MFA when possible to increase security of the accounts. I also enable MFA in Lastpass password vault to ensure that there are layers of authentication prior from accessing all of my stored credentials.
Password Vault is important and helpful application in handling your accounts. Because of the complexity of password policies and the wide availability of password cracking tools, it is essential to generate complex and random passwords. However, the limitation is that the complexity is limited with how human brains can handle it. The answer to this dilemma is a password vault. Both offline and online password vaults have its advantages and its disadvantages. For my actual application, I use offline password vault for server management while I use online password vault for web applications.
Multi-Factor Authentication (MFA) is now a feature in most of the websites that we are using. Several authenticator apps can be synced with our web applications to add an additional layer of security after providing a password. It is highly encouraged to enable the MFA feature for web apps that handle critical data.