As you may have noticed there have been a lot of website and business breaches in the last 3-4 months where usernames, passwords and occasionally some personal information has been taken. You can see a consolidated, and up to date list here at liquidmatrix.org. Given that passwords are so easily “lost” these days, are they doing much more than security theatre?
This has been an ongoing topic of discussion for several years inside the info-sec community and I thought I’d get my current thoughts out on the subject as it seems to be coming to a head again.
It is becoming generally accepted that users cannot be trusted/expected to look after their credentials and more and more businesses are looking at offering additional ways in which to secure user accounts beyond the humble password.
A bit of Background, the issue is really comprised of 2 parts, the businesses supplying their services and the people that use these services.
Part of the problems is that the businesses breached don’t always take the appropriate care when managing credentials, these are stored in plain text (readable by anyone) or in a poorly encrypted form (that allows the passwords to be cracked or reversed).
This is not always something that is malicious and there can be any number of reasons why this happens. For example, the people building these websites are web developers and not security people, they don’t necessarily know that the standard library or function that they call when building a web application is 10 years old, calls a deprecated function/hashing algorithm and doesn’t do what is required in this day and age.
A more pessimistic take is that you can see, historically, businesses that have been caught out by these breaches in the past don’t always take a hit financially (unless it leads to privacy violations and they are fined or sued) and weigh up the cost of doing things right vs. the likelihood of something going wrong and having to pay compensation. This attitude is definitely changing, as be described. More and more businesses are beginning to offer alternatives.
The other factor in this is that users tend to reuse their passwords across multiple sites. Users tend to do this for any number of reasons, mostly because it is convenient to only have to remember a small set of credentials to get around work and social media sites.
This too is understandable as most people don’t realise that once there is a breach, and your credentials are leaked, people (hackers or script kiddies) will automatically try them against other popular sites or even your place of work (as apparently one Dropbox employee found out).
What’s the hoopla anyway?
Those that say, yeah great for clear text passwords, but mine is/was encrypted, how does that cause an issue? For a great overview of the problem with password breaches and cracking, head over to Ars Technia. The summary of the article, however, is that with the cracking tools available today, each breach feeds the beast and makes it easier to crack each time there is another breach.
The other issue today is that Microsoft (live), Facebook, Google, and Yahoo!, to name a few, offer the ability to provide federated authentication services through OpenID, SAML, OAuth or similar services.
This means that you can use your credentials, username and password, for one of these systems to authenticate (verify you are who you say you are) to another completely separate system that then authorises (provides permissions to do things based on who you authenticated as) you. So if your Facebook account is compromised and you use it to login to any other account with your credentials that you have linked to Facebook.
People also tend to cascade the linking of their accounts so that when you’ve forgotten your password you have Facebook , Twitter or Apple email your Gmail account with the password reset token, allowing the compromise of one account open up the possibility of access to a lot more.
Whilst you can point the finger and blame the companies that were breached, your username and password, and the management of them, are ultimately your responsibility.
What can you do?
Given that this looks like the sky is falling and that every password leaked means that it becomes easier and easier to get into systems, what can you do? You can invest in a password generation and management tool or look at 2 factor authentication methods offered by vendors.
The first thing you can do is start using a password generation tool like LastPass or 1Password. Most of the tools out there have the ability to generate passwords given a number of different parameters like whether it is pronounceable, includes numbers, capitalisations, hyphens, etc (see the example below of 1Password browser plugin for password generation).
Couple this with a tool that remembers your passwords and you now have the ability to generate new and unique passwords for each and every application and website you can think of.
Most of these applications have browser plugins too that automate the entire process so there isn’t even the need to do more than follow the prompts.
Passwords – becoming too hard
Given that all of this is very complicated and relies heavily on you to do the work, more and more businesses are realising that trusting their user base to create unique passwords is not necessarily the best thing and offer a number of additional mechanisms to assist in the protection of themselves and the authentication of their users.
This second factor authentication mechanism is something that you should always take advantage of.
What is 2-Factor authentication? Two factor authentication takes the something you know (your password) and then adds in either something you have (like a security token) or something you are (biometrics).
The “something you have” can be any number of things:
- Digital certificate;
- Smart card (generally stores a digital certificate);
- Physical Token (generates a one time password or pin on a screen of a device);
- Soft token (generates a one time password or pin via an application); or
- SMS (short message service) one time password or pin.
The something you are is exactly that, something that is uniquely you:
- Retina scan;
- Palm print;
This second factor when coupled with your password makes it a lot harder for your account and personal information to be compromised should one or the other components be lost.
Most financial organisations offer a number of options for 2 factor authentication. The most common of these are SMS based one time passwords for transactions. Others opt to provide their customers with physical tokens that generate one time passwords.
Other organisations have started offering 2-factor authentication methods for their users -
Google offers both SMS and soft tokens for unauthenticated devices or services across their services like Reader, Gmail, etc.- http://googleblog.blogspot.com.au/2011/02/advanced-sign-in-security-for-your.htm
Dropbox have just added soft tokens for previously unauthenticated devices - https://blog.dropbox.com/index.php/another-layer-of-security-for-your-dropbox-account/
WordPress are now offering Vasco tokens - http://www.scmagazine.com.au/News/313736,wordpress-adds-vasco-one-time-password-technology.aspx and support for the Google Authenticator application – http://wordpress.org/extend/plugins/google-authenticator
Facebook now supporting SMS based tokens for unauthenticated devices- http://www.facebook.com/note.php?note_id=10150172618258920
The above list is certainly not exhaustive, but shows that there is now a move away from the old Username and Password as the way in which to authenticate a person.
What should I do?
The short answer to this is as follows:
- Never reuse passwords. Ever;
- Be aware of the risks in linking accounts to each other;
- Use a password manager; and
- Take advantage of 2-factor authentication.
Following these 4 simple things won’t guarantee that you and your accounts will not be compromised, but it will guarantee that the damage will be mitigated.