Password security is constantly changing, just as threat actor techniques. Previously best-practice passwords become more and more insecure as computational power increases. Password managers have made an effort to stay current, providing improved password suggestions and more encryption security.
Attacks can, however, be unforeseen and can result in the compromise of password managers themselves, as happened in 2022 with LastPass. A phishing or ransomware assault may gain access to your machine without your knowledge, even with a strong password and secret key. What could you do to help protect against this, then, is a natural question to follow.
Enter the Double-Blind Password Strategy: People are increasingly relying primarily on technology to improve password security. But what if there’s a better way? Most people can recall a brief PIN number or word but struggle to remember long passwords. A popular recommendation is to use a unique password for each site, which normally necessitates the use of a password manager.
The double-blind password approach, also known as “horcruxing”, “password splitting”, or “partial passwords”, is saving the long and complex component of a password in a password manager while retaining the brief unique identifier, such as a PIN number or phrase, to oneself.
To access a service or website, use the password manager to fill out the complex component and add the easy-to-remember unique identifier.
Say your abc5 is an example of your short phrase. The following is how you would utilize the complex, randomly created passwords that you keep in your password manager.
2k2kasdf9! becomes 2k2kasdf9!abc5
a23k3k234# becomes a23k3k234#abc5
!213kk1vk1v2k!@3 becomes !213kk1vk1v2k!@3abc5
Even if an attacker manages to get their hands on your password manager’s passphrase and secret, it will be considerably more difficult for them to access everything if the password is divided into two pieces.
Even if an attacker manages to infiltrate your password management, they will never have access to the full image because the password manager is unaware of the abc5 section of the password.
Does that imply that everyone should use this tactic?
Every security measure has benefits and drawbacks. Some websites, for instance, might only let short passwords.
If you strive for the NIST 800-63B minimum password length of 12 characters and append a 5-character word, such as “guard,” to the end of the password, a service with a 16-character password limit may not be compatible.
Furthermore, one of the best password manager usability features is the ability to auto-fill and submit login forms.
However, when using the double-blind password technique, make sure your password manager solely auto-fills, as submitting the form without the unique identifier will fail. This may compromise some usability in exchange for security.
This approach may only operate in certain situations and must be implemented by users. If a business employs a password manager, dividing the password may be ineffective if a shared vault is employed, as the identification must also be widely distributed manually.
Furthermore, onboarding and off-boarding personnel necessitate password changes not only for what is saved but also for all those with access to learning the new identifier—a major pain.
Avoiding Common Password Mistakes: Even the double-blind password procedure may not always be successful given the proliferation of so many alternative methods and suggestions throughout time.
A user can still create an insecure password or use one that has already been compromised despite this technique. With greater processing power, even random passwords with a variety of characters are more likely to be cracked.
The following table provides an approximation of how long it would take an attacker to break MD5 passwords of varying lengths and complexity using basic hardware and contemporary software.
With investments in extra hardware capacity, any attacker or group of attackers with more resources would be able to accelerate these times.
With ransomware payouts approaching million-dollar levels, the increased setup cost is easily justified.
Any of the following frequent mistakes could lead to a password that exposes your company to password vulnerabilities:
- utilizing brief, easy-to-crack passwords, such as patterns, words, or phrases that are frequently used.
- Failure to modify a password following a breach might cause serious issues. This is particularly relevant in situations where a user-only unique identifier might be compromised by possible threat actors.
- If you don’t use multi-factor authentication (MFA), token theft or phishing attacks may target you.
- With ransomware payouts approaching million-dollar levels, the increased setup cost is easily justified.
Specops Password Policy, Breached Password Protection, and MFA: A secure password strategy is built on having a robust Active Directory password policy. Although firms can use other strategies and tools, such as a password manager and double-blind password strategy, they must begin by protecting their frontline employees.
Your firm may build a solid password policy and satisfy security compliance requirements with the aid of the Specops Password Policy.
. Services like the Specops Password Policy with Breached Password Protection assist to safeguard your users and your company from using compromised passwords, as NIST 800-63B standards advise.
Strategies like the double-blind password technique may work well when combined with MFA, but only if end users are completely embracing the concept.
MFA paired with technology like Specops Password Policy with Breached Password Protection safeguards your organization against potential breaches and ensures you don’t become a victim without overcomplicating the procedure for most enterprises.
With dynamic, informative client feedback, Specops Password Policy assists users in creating stronger passwords in Active Directory, allowing them to observe firsthand how to increase password security without the need for a double-blind approach.
