Why bad passwords aren't the problem - it's the people who make them

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459178/why-bad-passwords-arent-problem-its-people-who-make-them

Passwords. For all the talk about two-factor and multi-factor
authentication, to mainstream adoption of biometrics, passwords are not
going away. Whilst there are more secure alternatives and other
authentication methods that can be used alongside the humble password, like
it or not, the password is going to be around for a long time to come. More
focus is needed on how to make passwords 'work.' For the vast majority of
applications, they’re all we’ve got.

The truth is there’s nothing wrong with passwords. The problem is people.
Users select passwords that are too simple, too short and too predictable.

Analysing actual passwords published from large scale attacks (including
Sony and LinkedIn) show that more than 50% are fewer than 8 characters, 50%
contain only numbers or only letters, and only about 1% contain a
non-alphanumeric character.

Cracking more than 80% of user-selected passwords is relatively easy, even
if they’re hashed in a database when stored. Even if salted and hashed, a
high percentage will still be susceptible to brute force attack; the time
needed to obtain the passwords becomes purely a function of the compute
power available to the hacker.

To make things worse (for themselves), users reuse the same passwords
across different systems and services. Attackers who gain access to one
service can then sign in freely to email, social media, online shopping and
even mobile phone and bank accounts.

Despite attempts to educate people on the importance of using even
relatively long, complex, random unique strings, they don’t. And they
rarely change them.

So what if we could improve the way in which passwords are implemented and
take responsibility for selecting and changing them regularly away from the
user entirely? Security – and the user experience – would be improved
significantly.

Password management solutions are not new and fall broadly into two
categories:

Consumer password managers that help individuals create, store and recall
passwords, but still rely on the user to change them regularly. Users still
know what their passwords to systems and services are.

SSO solutions that cater to the needs of enterprises and the applications
they use. Whilst SSO solutions cover major business applications that
support federated identity standards, they often don’t support the
thousands of non-standard, smaller web applications.

If an SSO solution can automate the selection and changing of passwords –
and ensure that passwords are not only as long and strong as the
applications will support but also unique across all accounts - then the
inherent human weakness is minimised or eliminated.

This moves passwords closer to the tokens and assertions that are used in
federated identity and authentication standards, including SAML and
WS-Federation. Pre-defined trust between the identity provider and service
provider, typically based on a shared certificate, is mimicked by either
having the user enter their current (initial) password so that the SSO
solution can subsequently change it, or the SSO solution may provision the
account and set the password from the outset.

There is a secondary benefit to improving the strength and uniqueness of
credentials on individual user accounts.

A significant percentage of large-scale breaches share something in common.
According to the Verizon 2014 Data Breach Investigations Report (DBIR),
two-thirds of breaches exploit weak or stolen passwords - compared to 76%
in 2013 (perhaps education is starting to have an effect after all).

The attack on JP Morgan affecting 75 million customer accounts started with
the compromise of an employee’s username and password for a 'web
development server.' In the now well-documented anatomy of an attack, once
initial access had been gained, the attackers escalated privilege,
obtaining credentials to further administrative accounts to eventually
effect the large scale theft.

If automated password management had been applied to these administrative
accounts, then the passwords would have been stronger and taken longer to
obtain, with a higher likelihood that they would have been changed before
being used. Likewise if customer account passwords were also
auto-generated, unique and changed frequently, their value to hackers would
have been lower.

The risk of experiencing a data breach is now higher than ever. Removing
human interaction with passwords and automating their selection and change
is a major step forward on several levels. It protects the individual by
ensuring that when the next large scale breach occurs the password stolen
is unique and not reused across multiple services and – if applied to
internal accounts on internal systems – may slow down the attacker and even
prevent the breach from happening at all.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!