Why complex passwords alone are not enough

Use at least 8 characters. Use a combination of uppercase and lowercase letters, numbers, and special characters. Don’t use any personal information like names or birth dates. Don’t use words that can be found in a dictionary (even when replacing letters with other characters—like using “p@ssw0rd” instead of “password”). Use a passphrase rather than a password. The list of common wisdom around creating complex, secure passwords goes on, but even the most complex password isn’t good enough by itself.

Realistically, nobody would ever guess a password like “H3uif6YcKLss8$bNw!39zP7&d”, and it would take a considerable amount of time even with a very powerful computer to crack a password like that. So, why isn’t a complex password good enough?

A complex password by itself is no longer good enough because there are too many attacks that capture keystrokes, or monitor network traffic to intercept sensitive data. In other words, even the most complex password in the world will offer absolutely no protection if an attacker obtains it through some other exploit. When that happens, you’re going to wish you had a second authentication factor in place to prevent unauthorized access.

For example, Dana Tamir, director of enterprise security for IBM, recently wrote a blog post about a variant of the Citadel Trojan designed to specifically target password management utilities to compromise complex passwords. Tamir explains, “With many users still trying to use the same passwords over and over, and others struggling to remember their newly created complex ones, a password manager becomes a smart and responsible solution for users—and attackers have taken notice.”

A complex password won’t do you any good if it also keeps you out of your own accounts because you can’t remember it. Password managers are often suggested by security experts as a means of relying on more complex passwords without forgetting them. The complex passwords are stored “securely” in the password manager utility, and all you have to do is remember the credentials to log into the password manager. One you’re logged in, the password manager does the rest by providing—and generally automatically entering—passwords as they are needed.

Seems reasonable, except for two glaring problems. One, the password to your password manager becomes a single point of failure. If you forget it, you’re locked out of everything. If it falls into the wrong hands, the person will have access to all of your passwords in one fell swoop. Then there’s the issue Tamir wrote about—what if attackers use the Citadel Trojan to steal your master password and gain access to your password manager tool?

Tamir warns, “It is important to note that Citadel is highly evasive and can bypass most threat detection security systems. It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action. This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them.”

IBM Trusteer examined the new Citadel variant, and found processes specifically designed to go after popular password manager tool credentials. IBM has not drawn any conclusions regarding who is behind the attacks, or whether there is a specific target or goal in mind, but it is concerning if you’ve gone through the hassle of creating complex passwords only to have them compromised by malware that goes after your password management system.

What is the solution? Multi-factor authentication. You should use complex passwords because it’s still important to ensure that nobody can easily guess or crack them. However, you shouldn’t rely solely on complex passwords because they can be intercepted or compromised. If you also require a fingerprint scan, or facial recognition, or a one-time code generated on a smartphone, then even if an attacker obtains the password he or she will still be unable to access your accounts or data.

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

Tony Bradley: I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.
Related Post