My Password Pal

“Sorry pal, my password is Spring2017. Deal with it.”

Someone said those words to me the other day.  As an InfoSec professional, I’ve have grown accustomed to this type of indignant proclamation.  My jaw no longer drops to the table anymore when I hear folks speaking this way, but I still have trouble stifling an audible sigh.

As usual, when confronted with this reality, I experience the usual stages of information security grief.  Why don’t they get it?  Where have we gone wrong? Should we give up?  Who still uses the phrase “Deal with it?”

Fortunately, the statement made by my password “pal” was in the context of getting set up with a Multi-factor login system.  I have been a strong supporter of Two-Factor authentication for a long time.  I even took the bold step to predict that at least one social media platform would force 2FA on all their subscribers this year.  So far, this has not happened, and even though no one is forcing 2FA upon their subscribers, it seems to be getting some attention and adoption in many corporate settings.

In fact, a new regulation in New York is prescribing multi-factor for all remote logins unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls. What is the meaning of a “reasonably equivalent control”?  In InfoSec, we call those “compensating controls”. These controls were introduced in the first version of the Payment Card Industry Data Security Standards (PCI DSS).

The standard definition of compensating controls consists of 4 parts:

Compensating controls MUST:

1. Meet the intent and rigor of the original control.
2. Provide a similar level of defense as the original requirement.
3. Be “above and beyond” other requirements. 
4. Be commensurate with the additional risk imposed by not adhering to the original requirement.

That is a tall order to fill, and it seems much more difficult than instituting a 2FA solution.

There are so many multi-factor options out there today; one has to wonder why people aren’t jumping on board with these systems? 2FA isn’t limited only to corporate systems.  Some tools that folks can use on their personal accounts are free, such as some of the “authenticator” applications offered by some vendors.  Some services such as Twitter, and at least one security organization (EC-Council), are still using text-based two-step verification, and we know that isn’t perfect, but it is still better than no security.

A 2FA system eases the sting of bad passwords considerably.  Now when someone tells me “that’s my password pal, deal with it”, I no longer have to sigh.  While my internal cynic may respond in kind “well now you have 2FA, so YOU deal with it, Sparky”, I am comforted, however slightly, that an attacker has to jump one more hurdle before he can log into the account of mister “Spring2017”.