Per Thorsheim, 45, has a self-described “insane” interest in passwords. As one of the world’s foremost security consultants focused solely on passwords, Thorsheim is the founder of PasswordsCon, the respected academic conference where international password security experts gather twice per year in Las Vegas and Europe. He spoke with us from his home in Bergen, Norway.
What ignited this enthusiasm and passion you have for password technology?
In 2001 I was working for PwC doing penetration testing on an office of a Fortune 100 company. We gained building access by wearing black suits and saying we were auditors. By 8:30 a.m. we got into the company system via a simple RJ45 Ethernet wall port. We quickly identified a list of all user account names in their entire domain and began trying to gain access to their accounts with two dummy passwords: the company name and ‘password’. One user of the ‘password’ password was a member of domain administration root in their Windows domain. Just like that, we had access to the entire company, a Fortune 100 company no less. That haunted me. The rest with me is history.
With everything we know about the dangers of poor password practices, why is there so much bad password ‘hygiene’ today?
It really is not difficult to get to a secure level of password practice, but there are real challenges getting there. Several years ago I was helping my mother, a retired nurse, with a computer problem on her work laptop. She told me her password and I was shocked as it was one of the easiest to hack. I asked her why she uses it and she said, “Because our system and the IT people at work accept it.” That is, it met their minimum standards. So when people blame end users for bad password practices, that is just wrong for the most part. Organizations need to look at their own policies and rules.
So end users do what is easiest for them?
Of course. They want to get their job done, right? Imagine if they have to change passwords every month and create multiple passwords that no one could possibly remember. Research in Sweden and Norway puts the number of passwords needed to access all different systems for people over 18 years old at 20-25 passwords! So password practices come down to a matter of usability. If it gets in the way of people getting their work done, of course they will default to the easiest practices available.
Such as using the same password for multiple systems?
Yes, but don’t necessarily believe all the statistics and research you read about that. I have done both anecdotal and online research into this matter. What I found is that users often think they are using the same password, say Wednesday1. But in fact use a variant to get into different systems, such as wednesday1 or WeDnEsDaY1.
Would you say it is wrong to use the same password across multiple systems?
No, not necessarily. I do it. But, I have also undertaken a risk analysis, which is really important for individuals and businesses to do. For example I have several systems here at home in Bergen. They are not interconnected and can only be hacked if someone actually comes to my house and takes them. However I know what is on them, and it isn’t worth taking, like a Linux test system I use. So you need to apply some intelligent risk analysis before you go off crying wolf about all passwords needing to be impossibly long and complicated and unique. That is stupidity and paranoia. On the other hand, with your passwords you have to pay close attention to any compliance or regulations that mandate certain password policies. Some of the things these regulations make you do might seem crazy and over the top. But if you go to court because you haven’t complied, that craziness is irrelevant. All that matters is that you didn’t do what you were told.
Do you have general recommendations or a ‘wish list’ for password best practices?
Many organizations have different password policies for different systems, with different password length requirements, different password change timeframes, and so on. I see no logical reason for this in most cases. Usability takes a hit as productivity drops and users make call after call to the help desk for password support. Implement one password policy across all systems and you’ll get a large productivity gain. Again, it isn’t the end users that are the problem here. It’s bad internal policies. The help desk is not the security department. To avoid repeated calls from users who forgot passwords, what will the help desk do? They’ll give them easy-to-remember passwords that happen to comply with the policy! Easy to remember means easy to hack.
Anything else?
Write policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it. So you have a policy that says ‘don’t use the same password on multiple systems.” Great. But can you enforce that? Can you measure its effectiveness? No!** Think things through. Planning and common sense will go a long way.
**Footnote from Keeper: Keeper Business provides auditing capabilities to see which employees are using the same password across multiple systems.