Operations

9/16/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

In Defense Of Passwords

Long live the password (as long as you use it correctly along with something else).

Over the past years, months, and weeks, industry has suffered from a surge of data breaches, which have leaked a wealth of user credentials onto the underground market (albeit, often hashed credentials). Some of the fallen victims include Adobe, Target, Michaels, and Home Depot. Even Google was not immune, though the leak reported last week of some 5 million username and password combinations consisted of mostly stale or older credentials that don't actually work.

The news isn’t good or surprising. The principal reason is fairly obvious: People still suck at using passwords!

If you follow these password database leaks, the top used passwords read like a list of bad practices. They include passwords that are too short or too common, and thus very easy to guess or crack. Totally irresponsible passwords like “password1,” “123456,” and “qwerty” still are horribly common. Furthermore, correlating password leaks has shown that people still tend to use the same password across different resources. All this is why many pundits have proclaimed that the password is dead.

You can easily see why one might say that. Security professionals have recommended the same password advice for decades, and yet no one seems to follow it. Furthermore, blackhat hackers appear to get their hands on our credentials as easily as a master thief swipes candy from a sleeping baby. All this suggests passwords don’t work, right?

Wrong! Rather than blaming the password, I think the whole password fiasco comes down to two problems: We’re blaming the wrong culprit, and we’re giving ourselves a pass to sacrifice security for laziness.

[Join Dark Reading Radio on Wednesday, Sept. 17, at 1:00 p.m. ET for a grown-up conversation about passwords with Cormac Herley of Microsoft Research.]

First, let’s talk about the actual culprit. Simply put, a password is a key. If you lose your house key through a hole in your pocket, do you blame the key when a burglar breaks into your house? The key was just doing its job. You should blame the hole in your pocket, or the inattention that allowed the key’s loss in the first place. Similarly, it’s absurd to blame passwords for data security problems. Rather, we should closely examine how hackers make off with huge troves of credentials in the first place.

The heart of the problem
In a large percentage of these credential leaks, attackers exploited a web application flaw called SQL injection to steal passwords from a website’s database. To me this is the core problem: the fact that the victim’s network, web app, or database security was so bad that attackers easily walked off with such sensitive data. We are blaming the key when we should be asking why we didn’t keep better track of it.

Although the real fault lies with how badly we protect our keys, it’s also true that some keys are stronger than others. These incidents have proven most people choose crappy passwords, but that doesn’t mean the whole idea of passwords is broken. Password security practices work! If you use long, complex passwords over 14 characters, and you use different passwords at each site, these password leaks wouldn’t affect you. If bad guys stole your password hash, they probably couldn’t crack it, and even if they did, it would only give them access to that one resource.

So why don’t people use good password practices? Simply put, until recently it was too hard to do. Humans aren’t good at making or remembering long, complex passwords, nor are they good at keeping track of them. However, that’s not an excuse today. Recently, password managers have become readily available and easy to use. They even work across multiple platforms. Though some argue password managers themselves become a weak point (all your eggs in one basket), it’s much less risky to hoard passwords in one encrypted file store than it is to use the same weak password everywhere.

In short, passwords aren’t broken; we just aren’t protecting them properly or using them right. Here’s how to fix the problem:

  • Plug the gaps that allow password databases to get stolen. Usually, it comes down to SQL injection and web application flaws. So focus on secure web development.
  • Standardize on a password manager so that you can actually follow good password practices.
  • Finally, and most importantly, the 21st century requires multi-factor authentication. No matter what you use to authenticate -- a key, password, token, picture, or biometric -- attackers can steal it. That’s why we need to use more than one token to authenticate. Passwords are a good option for one token, but you should supplement them with something else.

So I say, long live the password -- as long as you use it correctly along with something else. What do you think? Let me know in the comments.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:02:34 PM
Re: passwords
Amen to that brother... there is no silver bullet... 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:01:51 PM
Re: No password is bad
My favorite trick is simply using an english sentenve with punctuation, and maybe some "7334 [email protected]"

For instance, "My silly r3d dog is so rambunctious!"

The the sentence makes it long and the spaces and punctuation provide extra characters... being a sentence, it's easy for you to remember. The only downside is being longer to type, but trust me, muscle memory works on sentences too...

That said, this doesn't solve the different passord at different resources issue, which I do believe is a big deal. That why, I prefer password managers, and using this sentence trick for my master password....

Cheers,

Corey
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
9/17/2014 | 3:57:54 PM
Re: Password manager
Sounds like you are doing all the right things. I'm hoping that all web services will adopt two token... Even thought using mobile SMS isn't the most security of the second token options (some Zeus related malware designed to hijack mobiles too), it's much better than nothing, and almost everyone has phone... so it's easy.

Some password managers are doing better at syncing across multiple platforms, so you can use them on mobiles without actually typing anything but the master password...  
2009///M
100%
0%
2009///M,
User Rank: Apprentice
9/17/2014 | 1:23:24 PM
Password manager
I use two factor when possible, but have resorted to a password manager and letting it manage the complex passwords it generates for each site.  When im mobile and not on a PC with the web browser plug in, I use the mobile app to look up the password (which is a pain to retype, due to the complexity).
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:55:05 AM
Re: No password is bad
There are not-so-difficult tricks to help users remember complex passwords -- which I'm starting to rely on myself more and more. But to go into every application or web site and change my existing password? Who has the time for that? There should be a way to securely automate the creation of strong passwords for users at the system level. Any password strategy that puts users in change of changing their own behavior is doomed to fail. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/17/2014 | 8:34:53 AM
Re: passwords
I agree we should not have expectation of security-proof solutions, we have to assume there is always risk being compromised. The risk is never zero. The ultimate solution is in layered approaches when it comes to security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/17/2014 | 8:31:34 AM
Re: passwords
How about biometric we have been talking about for years, when is it going to be really available for us? Apple complains about users behaviors, I suggest they need to get back to work and find solutions, instead.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
9/17/2014 | 8:28:41 AM
No password is bad
I like the way that you put it. There is reason why users are defining simple passwords, they can not keep complex passwords in mind and they do not have to. it is not their responsibilities to secure the systems, system architects have to provide solutions that make users life easier and keep system secure.
Page 1 / 2   >   >>
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.