PASSWORDS is Everything That is Wrong with Security

Can System Be Manipulated...

We Are Due For Disruption In Passwords

Passwords are broken. It’s not the technical implementation or the business requirements --- it’s the whole concept. It was Fernando Corbató who created the concept of the password in the 1960s. Startups have been talking about “disruptive technology”. It changes the way things are done in a given market and can be taken as a form of a new technology taking the place of an existing one, or a similar product that operates in a unique way which can bring huge returns for companies.

2

The Server Side Problem: As security professionals, this is what we talk about most. How do we accept passwords, encrypt them in our databases, and prevent other people from stealing them? At Cigital, we have devoted everything from blog posts to a computer based training course on how to secure passwords. It’s hard to do and even if you do it right, it’s only half the problem.

3

The Client Side is the polite way to say humans. You see, good passwords are hard to remember. Since they are hard to remember, they’re likely to be written down and/or reused on multiple systems. If one person doesn’t get the Server Side Problem right, the attacker finds the password on another system and reuses it on yours.

The Client Side Problem

Back to the starting point, this method is dated. We’re asking users to do the impossible. We have hundreds of passwords in Lastpass. In 1964, when passwords were created, there were about 20,000 computers in the world. For sure the creators of the password didn’t think of a use-case for having to create and remember 100 passwords per person.

Passwords isn’t about good training or beating people into submission. It’s about being reasonable. And today, passwords are no longer reasonable.

4

The problem is that we’re not thinking about fixing the password problem. When a company decides to create a new application, they don’t think about whether to use passwords or try something else. (Caveat for companies that use single sign on or OAuth to authenticate against other systems which use passwords.)

The Assumption Problem

Business Analysts aren’t typically tasked with finding new and easier ways to have their users authenticate. We make an assumption that one of the currently accepted standards will be used. While we may improve the backend security over time, we’re doing almost nothing to improve the human element.

In fact in the name of security, we often make it harder for a user to create and remember passwords by adding upper, lower, numbers, special characters and continually increasing the length of the password.

5

A Way ForwardYou will be impressed by what Yahoo Mail did when they decided to get rid of passwords.

If you read carefully, all that Yahoo has done is removed the password and instead uses a token — similar to the Google Authenticator or Duo Key. Note that while Google has the same technology, they still require you to enter a password in first and then enter in the token.

In the world of authentication, we break it down into three categories:

➢ Something you know: a password, your mother’s maiden name.➢ Something you have: your phone, a token.➢ Something you are: a fingerprint, iris scan.

6

● Something you know: a password, your mother’s maiden name.● Something you have: your phone, a token.● Something you are: a fingerprint, iris scan.

When you pick from two in the list, we call it two-factor authentication. When we talk about passwords, we’re talking about something you know. Yahoo has swapped out something you know with something you have (the app running on your phone). While we’ve reduced the risk that someone will steal my password and login as me, we have increased the risk that someone can pick up my phone and use my authenticator app.

7

Passwords Need To Evolve

Password breaches affect thousands if not millions of users while stealing someone’s phone affects one user.

It is not suggested that this is the way every organization should go. It is merely implied that we should rethink our assumptions around passwords. For many industries, this won’t be easy. Regulators are very comfortable with passwords (even though they probably shouldn’t be). Chief Risk Officers and Internal Auditors likely aren’t excited about this type of change.

Passwords need to evolve. Until we as an industry help the evolution, we will stuck with 100s of passwords to remember… or one because we re-use it everywhere.

8

Jay Schulman is an Information Security Consultant living in Chicago who loves to talk and write. He is currently working at Cigital and has 17 years of experience in information security. Join him in his weekly podcast as he discusses on how to Build A Life and Career in Security.

9

Subscribe To How To Grow Your Security Career

Watch The 14 Best Videos To Grow Your Security Career

Got Questions? Get Support!