Any eight character ascii password can be broken in 5
minutes and US$500 in cloud processing costs.
This change was demonstrated at GRRCon
2019 by a security researcher from Optiv. It may have been demonstrated elsewhere first but this is the first that I have seen time, methodology, and tangible cost associated with the capability.
Ten characters? 5 hours and US$9000,
unless the password starts with a capital and ends with a number which
essentially makes it as trivial to break as an 8 character password. 12
character passwords still take 5 years with the same first/last letter caveats
that make 12 character passwords essentially 10 characters.
This news represents a significant change in the cyber
threat landscape. But the news is not the topic of this blog post; a security
program’s reaction is.
First, take a deep breath. Your cyber security program isn’t
the only program potentially impacted by big news. Don’t get sucked into any
collective industry social media meltdown that occasionally occurs (side-eyes
spectre and meltdown.)
Next, understand the depth of any impact on your
organization and the ensuing risk. It
will be particularly important to factor in any existing compensating controls.
Already have a password policy that requires 12 character passwords and a
password filter that enforces no capital letters at the beginning and no
numbers at the end? Your additional risk is minimal. Have eight digit characters but require multi-factor
authentication? Your risk remains low. Use strange Unicode characters in
passwords? This wasn’t part of the testing method but common sense and a little
math tell us that these likely add a lot of complexity to passwords.
Next, you’ll have to think through your path forward. What additional
controls do you need? What compensating controls can you put in place in the
interim? For instance, you might decide to implement multifactor but change
your password policy in the interim while you are waiting for resources.
Once you have your path forward, you’ll need to educate
executives about the changes in the threat landscape. This is a good
conversation to have after any major threat landscape shift so you are viewed
as the expert on cyber rather than the media or your vendors. This will also
give you the opportunity to have them understand the impact on your organization
(if any) and your thumbnail plan to mitigate the shifting threat. You may also have a resource ask as part of this conversation or a follow-up conversation.
This is one way that enlightened cyber leaders provide value
to organizations.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment