One of the things that I (and many other cyber security people) do far too often is answer perfectly reasonable questions with the words ‘Well, it depends...’
Why can’t we provide a simple answer to a simple question? Are we equivocating because we’re either unsure or don’t want to commit? Or is it an entirely sensible reaction when trying to fit imperfect solutions to complex situations?
I’d like to think the latter, coupled with a deep desire not to provide bad advice because we don’t have sufficient information to fully understand the situation. Context is essential. If Ian asks me ‘should I play Minecraft?‘, I could say ‘yes, I recommend it!’, but if that answer gets treated as ‘Jon recommends we stop working on our research problems and play Minecraft‘, there might be some explaining to do!
Nuanced answers matter when we’re writing advice and guidance as the NCSC. We spend a lot of time drafting and redrafting advice for our website, and we’re very aware that we cannot know all of our readers’ scenarios. We now have a lot more readers as the NCSC – everyone from security professionals in large organisations to senior readers, small enterprises, end users, developers… the list goes on.
There’s a strong temptation to write ‘it depends‘ on many of the points we are discussing. But this tends to result in lengthy publications which – in attempting to cover all possible situations and scenarios – end up being more open to misinterpretation.
Password managers made complex
A good example of this concerns password management tools. You’ve probably seen our guidance on passwords, and our related blog posts (Let them paste passwords, Your password expiry policy may have reached its expiry date). One of the things we say in the guidance (which is aimed at system administrators) is:
“Password management software
Software password managers can help users by generating, storing and even inputting passwords when required. However, like any piece of security software, they are not impregnable and are an attractive target for attackers.”
We get asked about this a lot (‘should I use a password management tool?’). And the temptation – a strong temptation – is to write ‘it depends’. But why?
First of all, we don’t know anything about the specific password manager you might be considering. It might be brilliant (well implemented cryptography keeping the passwords safe, good integration with other applications on the platform so not to undermine their security, effective use of the platform itself to protect these vital credentials, etc.).
However, if you’ve seen any of the work that people like Tavis have done, you’ll appreciate that not all of these products have got the same security pedigree.
The second reason is that we don’t know how you’re planning to use it. Is this for personal use on a single device, or are you planning to use it to synchronise your passwords across multiple devices? Or are you a system administrator, picking a product for your colleagues to use on enterprise devices? What if you are a system administrator contemplating putting all of your high-value administrative credentials into a password manager?
So, what’s the answer?
In the password management tools case, I want to emphasise the message in our original guidance. They’re potentially useful, but they’re not a silver bullet. Things can and have gone wrong.
On balance, it’s probably better for the majority of us to have a mechanism to help manage the pain of passwords. Which should you pick? Personal preference really – they’ve all got different features and uses. Emma’s written a great blog about some of the considerations you might want to think about.
If you’re a system administrator, please read all of our password guidance written specifically for you. The key message is to first try and get rid of as many passwords for your users as you can. Replace them with things like SSO, certificate-based authentication, or even remove the authentication step in places where it isn’t actually required.
We will shortly be publishing a buyers’ guide for password managers in enterprise networks. If you are going to personally use a password manager to look after system administration credentials, be sure to read our other guidance about protecting administrative accounts, and designing networks to avoid compromising high-privilege accounts.
In terms of all our guidance, it’s worth remembering that it’s just that: guidance. We can’t – and shouldn’t – take risk decisions for you. We’re happy as the NCSC to advise on what we think looks good and bad, but ultimately it’s your decision as you know your context, your priorities, and how much risk you’re willing to take – and live with the consequences too.
Finally, a belated new years’ resolution from me. I promise not to say the words ‘it depends’ unless I really really have to, or if Ian is asking about Minecraft again.
Source: National Cyber Security Centre