The concept of the password is as old as the tale of Ali Baba and ‘Open Sesame’. The story still has relevance today in that any password is only as effective as the level of concealment awarded to it. However, in a world where we are becoming ever more reliant upon passwords, concealing them is becoming far harder.
So why are we still using this antiquated means of authentication, and can it be improved upon?
It’s often said that long passwords are better than short ones and going beyond dictionary words (i.e., by substituting letters for numbers, for example) is safer; there are even password ‘barometers’ that will attest to this. But, while size and complexity do matter, there are other factors to consider.
For instance, what if a computer has been compromised by malware and is running a keylogger that captures a supposedly ‘complex’ password and beams it back to a hacker, along with the details of the service being logged into? Taking another example, what would happen if an online service provider (such as an online mail, game or social network service) isn’t taking adequate steps to protect their systems? Then the password could be (and there have been many instances of this already) stolen from the inside.
Even presuming the provider has encrypted the password in their database, the hacker can still crack this using an offline rainbow attack. And, if the user resorts to employing the same password for other online services, these too can be at risk and result in identity theft.
Additionally, the emergence of advanced persistent threats (APTs), which continuously target prominent individuals or enterprises, is now taking password attacks further using online reconnaissance. People are voluntarily placing a wealth of data online, and this makes cracking much easier, doing away with the need for brute force techniques. Social media sites are increasingly being used to mine passwords, because people are predictable creatures and will often select the names of family members, memorable dates, or their favorite sports team.
But it’s not just the social channels that make us vulnerable. Whenever we post online, purchase, contribute or comment, we are contributing to a ‘big data’ profile that the hacker can trawl through to mine information – information that can be used to gain access to personal accounts or to authenticate to the enterprise network.
Recent innovations in password management include automated password generators, but the complexity of the passwords they create can often lead to them being written down, leading to a physical security issue in its own right. We’ve also seen the emergence of password vaults that can bring definite security benefits, particularly to job roles such as the system administrator. However, this presents a single point of attack and a tempting target for the hacker.
Wherever possible, this vault of ‘crown jewels’ should be placed behind a separate host-based or network firewall that controls access from the general network and should be regularly patched, updated and have additional controls, such as anti-virus and intrusion protection.
The main alternatives to the password – often referred to as ‘something you know’ – are additional factors of authentication such as ‘something you have’ (i.e., a token or smart card) or ‘something you are’ (i.e., a part of the body, such as a fingerprint or iris). But deployment is limited, and issues still remain. If a client re-uses the password or PIN on a single-factor authentication site or device, for example, then these additional factors of authentication can become vulnerable, particularly if they are lost or stolen or are subject to a phishing attack.
There is no such thing as a totally secure authentication system because there will always be a way – either technically or physically – to circumvent them. Recent efforts have made passwords so complex as to alienate the user or have pooled them, making them a greater target. Add to this the proliferation of big data has that further undermined password security. How many password-activated accounts does each of us have online? How many times do we sign in each day? How complex has remembering passwords become? How many similar passwords are being used for personal online services and also work-related systems?
There has to be a better way. The use of passphrases that comprise whole sentences are a step in the right direction, helping the user remember the authentication code while making it harder to crack. But as an industry – both online service providers and security professionals – perhaps we need to move beyond the cave door and begin to think more imaginatively and collectively about authentication solutions.
Phil Robinson is a director at Digital Assurance, a vendor-independent UK-based security consultancy. Robinson is a recognized CESG CLAS consultant, a CITP (Chartered Information Technology Professional), a Chartered Engineer (CEng), an ISO27001 auditor, and an OSSTMM 3.0 professional security trainer. He is also a Founder Associate Member of the Institute of Information Security Professionals.