Password security, like threat actor methods, continues to evolve. As computing power grows, previously best-practice passwords become increasingly vulnerable. Password managers have done their best to stay up-to-date, offering increased encryption security and better password recommendations.
But, attacks are unpredictable and may even lead to compromises of password managers themselves, such as LastPass in 2022. Even with a strong passphrase and secret key, a phishing or ransomware attack may steal access to your system without you even realizing it. This begs the question, what could you do to help protect against this?
Enter the Double-Blind Password Strategy
More and more people arerelying solely on technology for better password security. But what if there’s a safer solution? Most people can easily remember a short PIN code or word but struggle with longer passwords. A common recommendation is to use a different password for each site, which usually requires a password manager.
The double-blind password strategy, also known as “horcruxing”, “password splitting”, or “partial passwords”, involves storing the long and complex part of a password in a password manager and keeping the short unique identifier, such as a PIN code or word, to yourself.
To log into a service or website, use the password manager to fill in the complex part and add the easy-to-remember unique identifier.
For example, say your short phrase is abc5. You would store your complex, randomly-generated passwords in your password manager and use them as follows.
- 2k2kasdf9! becomes 2k2kasdf9!abc5
- a23k3k234# becomes a23k3k234#abc5
- !213kk1vk1v2k!@3 becomes !213kk1vk1v2k!@3abc5
Splitting the password into two parts makes it much harder for an attacker to gain full access, even if they have stolen your password manager’s passphrase and secret.
Since the password manager never knows about the abc5 portion of the password, attackers will never have the complete picture and access, even if they hack your password manager.
Does that mean everyone should adapt this strategy?
Every security method has its pros and cons. For instance, some websites may only allow short passwords.
If you aim for the minimum 12-character password length recommended by NIST 800-63B guidelines and append a 5-character word, such as “guard,” to the end of the password, a service with a 16-character password limit may not be compatible.
Additionally, one of the best usability features of password managers is the ability to auto-fill and submit authentication forms.
But, with the double-blind password strategy, it is important to ensure that your password manager only auto-fills, as submitting the form without the unique identifier will fail. This may sacrifice some usability for security.
This method may only work for some environments and has to be adopted by users. If an organization uses a password manager, splitting the password may not be effective if a shared vault is being used—as the identifier will have to also be broadly shared manually.
Additionally, on-boarding and off-boarding individuals require password changes not only for what’s stored but also for all those with access to learn the new identifier—quite the headache.
Avoiding Common Password Mistakes
With so many different strategies and recommendations over time, even the double-blind password strategy may not always work as expected.
Despite this method, a user can still create an insecure password or use one that has already been compromised. Increased computing power means that even random passwords with various characters are more susceptible to cracking.
The following table shows approximate times it would take an attacker with a modest amount of hardware and modern software to crack MD5 passwords of various length and complexity.
Any attacker or group of attackers that have more resources would be able to accelerate these times with investments in additional hardware capacity.
With ransomware payout reaching million-dollar levels, the additional setup expense can be seen as easily worth it.
Any of the following common errors may result in a password that leave your organization open to password vulnerabilities:
- Using short and simple passwords, such as repeated sequences, common words, or phrases that are easily able to be cracked.
- Failing to change a password after a breach can be a major problem. This is especially true in scenarios where the unique identifier, known only to the user, could be compromised by potential threat actors.
- Failing to use multi-factor authentication (MFA) can leave you vulnerable to token stealing or phishing attempts.
MFA, Breached Password Protection, and Specops Password Policy
Having a strong Active Directory password policy is the foundation to a secure password strategy. Other techniques and tools such as a double blind password strategy, password manager and more can be used but organizations have to start by securing their frontline.
Specops Password Policy can help your organization establish a strong password policy and meet security compliance requirements
. As NIST 800-63B guidelines recommend, services like the Specops Password Poilicy with Breached Password Protection helps protect your users and your organization from using compromised passwords.
Combined with MFA, strategies such as the double-blind password strategy can be effective, but only if end-users are fully adopting the practice.
For most organizations, a cleaner and therefore more secure approach would be MFA combined with a tool like Specops Password Policy with Breached Password Protection safeguard your organization against potential breaches and ensure you don’t become a victim without overcomplicating the process.
Specops Password Policy helps users create stronger passwords in Active Directory with dynamic, informative client feedback so they can see firsthand how to improve password security without the need for a double-blind approach.
Password Strategies Evolving with Cybersecurity Challenges
Over the years, there have been many password strategies proposed. While the double-blind password strategy is secure, it is only effective if users fully adopt the strategy so is likely better off used on a personal basis.
To keep end-users in your organization secure and to prevent password-based vulnerabilities, it is important to start with a strong password policy, avoid using previously compromised passwords and incorporate MFA whenever possible.
Sponsored and written by Specops Software