WA Police’s chief information security officer Hai Tran has one simple piece of advice for organisations looking to reduce password risk: don’t use passwords.
Password resets had been the number one reason staff at the organisation called the service desk, making up 20 per cent of all calls to the team.
Companies like Visa are envisioning a world where the payment industry can move away from passwords using technologies such as biometrics. However, passwords don’t seem to be going away any time soon and until then, WA Police went about trying to reduce password complexity for its staff and ensure they were as difficult as possible to crack.
Tran told the recent CIO Summit in Perth that the average user does the following: they forget their password and ask the service desk for a reset, they write down their password, they use a password manager (not a bad option), or they choose a password that’s easy to remember.
Unfortunately, creating a password that easy to remember is the most common option users choose.
“The reality is that people will choose a crap password or a password they forget and will have it reset,” he says.
Recent penetration testing saw Tran and his team compromise 4912 passwords across WA Police.
“Some people were embarrassed, some were upset but the reality is that…it is what it is and if we don’t acknowledge it, we don’t move forward. It took 10 minutes to find 4,912 passwords,” he said.
“When I got to police, we had to change our passwords every 30 days so the next month you choose December11, December12, December13 [for example] and you rinse and repeat because you can change your password very frequently. But people weren’t surprised that we were able to compromise their passwords very quickly.”
So how did WA Police overcome this issue?
“We took a dictionary of common words (we generally know that people start their passwords with an upper case [letter]) and then we substituted those words and substituted numbers, [which provided] a combination of passwords. And the great thing about technology these days with the cloud is that for $7, we can setup an 8 GPU server on Amazon and crack the passwords really fast.
"Your password – regardless of whether it has a number at the end or a number of numbers or symbols – the system can guess it really quickly. So password complexity is really bad because it encourages people to use bad passwords and people don’t remember complex passwords well."
“Unfortunately, we’ve been taught over the past 10 or 20 years that this is how it’s going to be. So what we did at Police was decide that we were going to abolish password complexity and we found some interesting results,” he said.
“We stopped people from having a number at the end of their password and a capital letter at the beginning of their password. And we stopped people from changing their passwords and we found some interesting results."
Six months later, the infosec team was only able to compromise 398 passwords across the agency, he said, adding that unfortunately it only takes one password to compromise a system.
The team found that following this exercise, the number of people changing their passwords plateaued and calls to the service desk also dropped.
"We also enhanced the user experience, because [staff] were no longer required to choose a complex password. If you want to reduce password risk, get rid of passwords or at least reduce the complexity requirements."
Follow Byron Connolly on Twitter: @ByronConnolly
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.