People Are Not Broken, Passwords Are

Written by

For way too long our industry has been blaming the failings of an out-dated access mechanism on users and doing a good job of getting away with it, says Brian Spector

Every breach sees another flurry of pundits reminding people of the importance of good password hygiene. People are tired of being told that they must create ever-lengthening passwords for each individual service or application, an apathy which compounds the problem further.

The insinuation that it is the user’s fault for daring to use a login they can remember, instead of a 16-character hexadecimal string, also jars. Yet every high profile breach sees the same message. The onus is put on consumers to change their username and password because, despite this being a problem borne of technology, it is the user that needs to change.

The IT security sector is unique in this respect. There are not many industries where failure of the primary function is taken so lightly, and the emphasis shifted onto the user so slickly.

The concept of passwords itself is not terrible, it’s just they have become obsolete as an access mechanism. Why does the security industry, where concepts like machine-learning and artificial intelligence are common parlance, so heartily accept a 45-year-old approach? Developed before rainbow tables, automated brute-force attacks, and at a time when a modern desktop would be thought of as a super-computer, it is a thread that threat actors started pulling at a long time ago. It has now been fully unwoven. 

More practically, at a time when the rhetoric has openly switched from perimeter defense to an acceptance that organizations will be breached, the password database presents a huge risk point. Many CISOs and network admins assume that if this is salted and hashed, it has an adequate level of protection. This is just not the case.   

Such methods have long been superseded by the on-going march of cloud computing. The common misconception is that the computational power needed to crack such a huge list of variables makes it an impossible task. This may have been the case some years ago. However, with formidable clusters now available for rental on Amazon Web Services and Microsoft Azure amongst others, the necessary muscle is very much available and easily affordable. Such power can make countless numbers of password guesses per second. Everything from MD5 to Bcrypt is vulnerable, a scary thought for any organization.

"There are not many industries where failure of the primary function is taken so lightly, and the emphasis shifted onto the user so slickly"

Put in the terms of the financially driven cyber-criminal, it makes business sense to dedicate resource to breaking such lists. With stolen databases from some of the larger hacks numbering in the tens of millions, the return on investment can be very tempting. 

The bottom line is that any authentication solution that assumes servers can protect large files is wrong. For too long password databases have been incapable of being protected. In some cases, this may have been ignored in the belief that the damage done in the event of a hack is outweighed by the cost of implementing necessary measures. In others, the vendor or team responsible puts their faith in hashing and salting. In the case of a breach, the response is always the same: put the onus on the user, give them advice about changing their passwords and then quietly step back. This is at best a sticking plaster, and at worst negligent. 

This should not be the accepted norm. Technological alternatives to passwords have existed for some time. However, familiarity and an unwillingness to change an approach that has been around longer than most operating systems often drives IT teams back into the comfortable arms of the password. Instead, these people need to be brave and employ cutting-edge technological solutions to stay ahead of the problem.

These solutions aren’t difficult to implement, use tried and tested technology, and don’t cost the earth. By using a zero knowledge proof protocol, users can prove to an application that they are who they say they are without actually disclosing usernames and passwords.

This means there is no longer a need to store the credentials in a password file or database. In one fell swoop it removes the risk by eliminating this single point of compromise. If you also introduce distributed cryptography, where keys are split and spread across multiple trust authorities, you remove the other single point of compromise.

Come D-Day, where would you rather be, swearing at a dump of millions of passwords on Pastebin or sitting safe in the knowledge that the miscreants got away empty-handed? 

What’s hot on Infosecurity Magazine?