Share

Related Links

  • Digital Assurance
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • The contradictions of password psychology
    A new survey on attitudes towards passwords indicates an apparent contradiction: most people want stricter password security policies, but don’t bother changing their own default passwords.
  • Passwords: how to make them and break them
    Weak passwords are the bugbear of security. We look at Dell’s advice on creating good passwords, and Imperva’s analysis of how hackers break them.
  • Can you count to six? So can cybercriminals
    Do you think “123456” is a good password? Don’t count on it. It was the second worst password behind “password”, according to a study by password management firm SplashData.
  • Good password policy isn’t random – or is it?
    Using entropy effectively is a key ingredient in an organization’s password policy, according to Forrester researcher Chenxi Wang.
  • Comment: Password Reuse Equals Misuse
    A recent survey by Swivel Secure shows that 55% of people use the same password, or variations of one, to access all their online activities. Chris Russell examines the corporate risks of password reuse and emphasizes the need for multifactor authentication for accessing business critical data

Top 5 Stories

Feature

Comment: Passwords Are Now Past Their Best

09 March 2012
Phil Robinson, Digital Assurance

Phil Robinson of Digital Assurance shares his views about the growing dependence upon passwords and looks at management methods and technical alternatives to improve upon them

The concept of the password is as old as the tale of Ali Baba and ‘Open Sesame’. The story still has relevance today in that any password is only as effective as the level of concealment awarded to it. However, in a world where we are becoming ever more reliant upon passwords, concealing them is becoming far harder.

So why are we still using this antiquated means of authentication, and can it be improved upon?

It’s often said that long passwords are better than short ones and going beyond dictionary words (i.e., by substituting letters for numbers, for example) is safer; there are even password ‘barometers’ that will attest to this. But, while size and complexity do matter, there are other factors to consider.

For instance, what if a computer has been compromised by malware and is running a keylogger that captures a supposedly ‘complex’ password and beams it back to a hacker, along with the details of the service being logged into? Taking another example, what would happen if an online service provider (such as an online mail, game or social network service) isn’t taking adequate steps to protect their systems? Then the password could be (and there have been many instances of this already) stolen from the inside.

Even presuming the provider has encrypted the password in their database, the hacker can still crack this using an offline rainbow attack. And, if the user resorts to employing the same password for other online services, these too can be at risk and result in identity theft.

Additionally, the emergence of advanced persistent threats (APTs), which continuously target prominent individuals or enterprises, is now taking password attacks further using online reconnaissance. People are voluntarily placing a wealth of data online, and this makes cracking much easier, doing away with the need for brute force techniques. Social media sites are increasingly being used to mine passwords, because people are predictable creatures and will often select the names of family members, memorable dates, or their favorite sports team.

But it’s not just the social channels that make us vulnerable. Whenever we post online, purchase, contribute or comment, we are contributing to a ‘big data’ profile that the hacker can trawl through to mine information – information that can be used to gain access to personal accounts or to authenticate to the enterprise network.

Recent innovations in password management include automated password generators, but the complexity of the passwords they create can often lead to them being written down, leading to a physical security issue in its own right. We’ve also seen the emergence of password vaults that can bring definite security benefits, particularly to job roles such as the system administrator. However, this presents a single point of attack and a tempting target for the hacker.

Wherever possible, this vault of ‘crown jewels’ should be placed behind a separate host-based or network firewall that controls access from the general network and should be regularly patched, updated and have additional controls, such as anti-virus and intrusion protection.

The main alternatives to the password – often referred to as ‘something you know’ – are additional factors of authentication such as ‘something you have’ (i.e., a token or smart card) or ‘something you are’ (i.e., a part of the body, such as a fingerprint or iris). But deployment is limited, and issues still remain. If a client re-uses the password or PIN on a single-factor authentication site or device, for example, then these additional factors of authentication can become vulnerable, particularly if they are lost or stolen or are subject to a phishing attack.

There is no such thing as a totally secure authentication system because there will always be a way – either technically or physically – to circumvent them. Recent efforts have made passwords so complex as to alienate the user or have pooled them, making them a greater target. Add to this the proliferation of big data has that further undermined password security. How many password-activated accounts does each of us have online? How many times do we sign in each day? How complex has remembering passwords become? How many similar passwords are being used for personal online services and also work-related systems?

There has to be a better way. The use of passphrases that comprise whole sentences are a step in the right direction, helping the user remember the authentication code while making it harder to crack. But as an industry – both online service providers and security professionals – perhaps we need to move beyond the cave door and begin to think more imaginatively and collectively about authentication solutions.


Phil Robinson is a director at Digital Assurance, a vendor-independent UK-based security consultancy. Robinson is a recognized CESG CLAS consultant, a CITP (Chartered Information Technology Professional), a Chartered Engineer (CEng), an ISO27001 auditor, and an OSSTMM 3.0 professional security trainer. He is also a Founder Associate Member of the Institute of Information Security Professionals.

This article is featured in:
Data Loss  •  Identity and Access Management  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×