Security

Putting passwords out to pasture: Identity behaviour vs. identity authentication

Dominic Vogel writes that the days of relying on passwords, strong or otherwise, is an outdated security practice. What's the next step?

Since the dawn of distributed information systems username/password combinations have acted as the primary security mechanism. Twenty plus years ago, when systems were not widely remotely accessible, when the term advanced persistent threat referred only to acid reflux, passwords were highly effective. It was a time when authenticating the user's identity was easy to prove. Today, however, with high system complexity and a dizzying array of interconnected systems seemingly accessible anytime anywhere, relying on passwords for protecting systems of varying criticality (from your fantasy baseball team to your company's remote access site) equally, seems like a strange dichotomy. Authenticating a user's identity can no longer be done with a high degree of certainty. As information systems rapidly evolved over the course of the past two decades, corresponding security mechanisms failed to keep pace. Instead, the use of passwords became ingrained in modern society to the point that the average individual needs to keep track of five to seven different passwords.

The security cognoscenti have long preached the importance of having long (12+ characters) and complex (uppercase letters, symbols, and numbers) passwords and to not reuse passwords amongst different platforms. While in theory this is good advice, in practice it is severely flawed. It is human nature to take the path of least resistance, especially when the more difficult alternative provides little incentive. Hence, many people will use the same basic password for their Facebook as they do for the corporate business account. Can you recall five completely unique complex passwords? I'm relatively certain the average person can't (I can barely remember my shoe size). Yes, there are tools to alleviate having to remember multiple passwords (automated password managers like KeePass) or modifications such as using passphrases rather than passwords that are easier for the brain to recall. However, this is just making it easier for people to remember, it does nothing to address the underlying weaknesses of password security.

Even password best practices can be easily thwarted

For arguments sake, let's assume that every person magically uses lengthy and complex passwords (I doubt that even Harry Potter could conjure up a spell to make that happen). What about social engineering such as phishing? What about malware that leverages keyloggers for capturing keystrokes? Even with the assumption that every person follows password best practices, it is far too easy for a username/password to either be captured or found by a malicious outsider. All the energy that security professionals put into blaming users for failing to abide by their password standards is all for naught as a long and complex password does nothing against those aforementioned threats.

What about multi-factor authentication? Surely, that is the salvation that will extend the life of passwords (alas, it is not). Multi-factor authentication is purely a tactical move that forces cybercriminals to shift tactics (hardly a check-mate kind of move). Given that cybercriminals are highly motivated and agile, it was only a matter of time before multi-factor authentication controls were compromised. Well-respected security expert Bruce Schneier notes that "attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint." Schneier was right, as Man in the Browser (MitB) attacks eventually surfaced. This is malware that lives in the web browser and wedges itself between the user and the website. It is capable of altering what is seen by the user and changing the details of what is actually entered in the system.

Move beyond passwords

Passwords are no longer an effective security control; in fact they are a major liability. We are at a tipping point where it is time for a seismic strategic shift in how we view the security frontlines. Instead of attempting to hopelessly authenticate the user's identity, why not focus our efforts on identifying the behaviour of each user? The credit card industry has invested greatly in this security model with resounding success. They realized that the card holder (or the "user") was not best suited to mitigate risk associated with their account. By investing heavily in behavioral fraud detection systems, credit card companies focused more on the creating a baseline for the expected behavior of each user. Transactions that seemed out of character for a particular user would be prevented from going through or would warrant an out-of-band check. Such fraud detection systems could be applied in any corporate environment. Every employee carries out specific and expected tasks on a regular basis. Irregular activities such as emailing out the company's customer data list to an unexpected address, or intellectual property being covertly sent over an encrypted channel to a server in the Ukraine would be flagged as suspicious and could consequently be prevented and investigated.

Passwords have served us well, however it is time to begin focusing on expected behaviour and building appropriate user baselines so we can lessen our reliance on an outdated security measure. Further investments in tools such as data leakage prevention, would lead to the next generation of corporate fraud behaviour technologies. Tactical changes (such as multifactor authentication) will not allow for sustained success against cybercriminals (they have shown that they are very adept at quickly altering tactics). A major strategic change is required, one that will shift the balance of power to the defenders. This is not a simple change; there is 20+ years of inertia and system norms to overcome. Passwords have become entrenched as the de facto security standard that it will take a major culture change within the security industry and the world at large to successfully complete such an undertaking. Needless to say, it would take a lot of time and effort. The alternative? Playing a game of cat-and mouse that can never end.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

19 comments
Z-eu
Z-eu

Wow..... Just simply wow to the ignorance of some people that make public postings. If you are uninformed on a subject there is no problem with this, but to them make a post on a website visited by millions, on a subject you clearly know nothing about is just worrying! Having worked in the finance industry, I can tell you right now that BILLIONS of pounds/dollars/whatever is lost every MONTH because behavioural patterns are (1) Easy to forge/copy, (2) It rarely prevents, and is actually reactive, rather than proactive to historic actions. (3) Users in work places often do their job the "proper way" for 6 months, until they know the system of their job, then they find shortcuts. (4) Why would you REPLACE passwords with Behavorial ID (BID)? it should surely be in addition to it! (5) When you launch a new application, or provide a new technology to the user, which results in them changing, will you fund the millions of currence it costs to install a predicted BID for on expected usage of that new resource? (6) Simply using sufficient encryption on drives, communications, and any where else applicable, + a solid pass phrase rather than passwords, should be enough to reduce most attacks, in a corporate environment proper administration of locking down users so new addons and apps can not be installed + firewall + A/V and IPS, and so on so on provide enough options for a capable admin to do their work. It then falls down the users to be somewhat careful in life, and failure to do so should result in punishment.

david.hunt
david.hunt

The behaviour based model seems fundamentally flawed when applied against computer resource access. By definition, the system has to have some behaviour to monitor to establish the identity. Suppose it was possible, and I don't think it is in the real world. If you had a bunch of people, say in a call centre. Their behaviour is all very similar, so having assumed someone else's identity, how long will the system take to lock me out. I then just use another identity and keep stealing information or performing transactions that would be normal for the call centre operators... Now look at the SysAdmin scenario... What pattern?... they do all manner of things randomly, as the tasks require, even accessing other's data when required. What is abnormal behaviour and how much damage can be done before the behavioural system thinks there's something fishy going on? Naaah. This is the sort of stuff that people like to put on overhead projector slides, and the argument sounds good, but don't try thinking about the practicalities.

DonSMau
DonSMau

Behavioral rules is all well and good but will be difficult to apply across all activities in an enterprise. I would have thought a more appropriate next step would be more tightly applying the principle of least privilege. If all accounts are prevented from doing anything other that that which they are meant to do, the organisations exposure to data leakage is minimised with minimum effort. Behavioral semantics can then be more tightly and effectively focused.

gsalomon
gsalomon

Interesting, I teach Security/Forensics classes at a local college. It is almost like reading my notes when viewing this entries. It is cat and mouse my friends. And the one with the most cheese ($$$$) to build the walls or break them down, wins. Guido

JCitizen
JCitizen

I'm not a fan of it, but that will make it cheaper for everyone to implement. I'm afraid this will just extend the expense and failure of password based technology - hopefully it will at least slow the crimiinals down a bit, until something smarter and cheaper comes along. Personally, I like Passwindow mixed with Magneprint. That would be a killer combo in my best estimation.

jwesleycooper
jwesleycooper

In theory, this sounds like a good idea, but the real question is whether or not replacing passwords (or combining them) with advanced behavioral security systems in an actual applied environment will offer a great enough increase in data security to offset any loss in productivity, flexibility, fiscal cost, etc to be worth implementing in most corporate workplaces. Also, I've seen firsthand how, especially in smaller operations, users may very well have to do things outside their normal scope of job operations, eg: someone calls in sick, is on vacation, etc. Finally, what about when someone changes positions and thus duties/shifts? How will such a system deal with it? Must their behavioral pattern set be reset, overrided, or perhaps re-written by a system admin? Each of those possible and necessary resolutions creat a different security hole which an attacker could possibly take advantage of, at least for a time.

dave the IT guy
dave the IT guy

The biggest problem with secure authentication is still the average user - who could not care less about their corporate password's security. They will likely care much more about passwords they use on banking and sale/auction/payment sites. Trying to impose stricter and more complex rules for passwords will only succeed in people finding more ingenious ways to get around them. Until corporate security matters to end users (and good luck with that) there needs to be some other system to protect corporate data. The behavioral thing that banks use could potentially work - except for a person who travels regularly and does not have a "normal pattern" of behavior.

kismert
kismert

Thanks for acknowledging the obvious and pointing out the flaws of password-based security. Your analysis of the problems is spot-on. But, behavioral-based security it is by definition leaky. While it is a good containment strategy, credit card companies still must bear the financial loss for fraud on behalf of the consumer. Few companies would buy into a security scheme where leaks are certain, without a similar guarantor willing to compensate them for their losses.

tommy
tommy

While I can see that there's a clear problem with the user name/password model for account access, how many companies have the resources available to match the banks with behavioural authentication methods of fraud detection? Very few, I would think. I can't fault it as a system ideal, but it's as impractical for most companies to put in place as it would be individuals to remember 256 character, multi-faceted passwords. As a manager of accounts on a business system, the biggest problem I have account wise is not, directly anyway, a problem with the user name / password model. It's that people don't use it properly. In these modern times, if people are idiot enough to use 'password' as their password for all of their account related access then they've only got themselves to blame when accounts get hacked. I'm gob smacked at the number of our employees that do however. Or did, I should say. Having seen this behavioural trait, I've put measures in place to make sure that's not possible any more on our systems, but the fact that people would if I let them is indicative of the wider issue. As a collection of supposedly smart people, the majority still don't see password driven account access as being under any sort of threat. We don't need sophisticated, expensive systems to help that situation. People simply need a better understanding of the consequences of using poor passwords, and using the same password on multiple sites. It won't resolve the problem, but it would help enormously.

donavonknight
donavonknight

Without passwords as authentication we move on to more and more private information. How many people would honestly be willing to scan their eyes, hands or DNA to log on to Facebook. If people are convinced to give up more of their private information out it will only be a matter of time before someone finds away around the new security in place. Databases are hacked everyday and information is lost. Access is an issue but limiting what people can do with that access may be more important. If you just log into your bank account to check the balance and look for lost receipts then you do not need bill pay for a hacker to still your money.

chip
chip

Your "Takeaway" is not a "Takeaway"...it is a tease. Takeaways don't end with a question mark. Give me the bottomline in the takeaway and quit worrying so much about clickthroughs. Please, quit wasting my time.

SDTAYLOR122
SDTAYLOR122

Passwords can not be eliminated based on behavioral patterns. Patterns of behavior have long been proposed for intrusion detection (ex. employeeA should not have been at work at the time of that login record). To use them for analysis of "bad" behavior is also an old idea, forensics. However, none of that makes a case for eliminating the use of passwords.

bboyd
bboyd

Sorry but behavioral ID misses most basic issues with security. As a backup and qualifier to good security practices is very useful. When a credit card company gets a behavioral hit, they then use a authentication factor (phone call, Something They Know) to verify personal information (Something I Know) then they reissue the Credit card (Something I Have) if I flag the transaction as fraudulent. Looks like multiple factor authentication to me. In fact the behavioral system only leads to changing the factors on the user end to mitigate the intrusion. Lets use the behavioral example for WoW, no need for password or session token generation right? Think your average person is okay if their character is used to do thing they normally do, like chat, but the normal is massive derogatory rant destroying the persons credibility in his local community (at least temporarily). Extended to any forum say TR and we have social networking chaos. Location data is not okay, its a something you have, that is easily forged. Never mind those people who use anonymizing proxies. Saying multiple factor authentication is not beneficial is disingenuous. If you have many long passwords why not use a password manager? One strong password to secure a list of passwords. Until biometric systems are widespread its on passwords that general verification hinges.

RU7
RU7

I am pretty sure there are people who would look at the account access setup you use and say, "How could anyone be that ignorant to use such a simplistic system." There are people who can remember dozens of pseudo-random 64-character password strings. So, why not use them and require their re-generation with every successful access. The right way would be that the system is where the smarts have to be. A 5-year-old on-line would be much less computer, i.e., password, savy than most adults, but should be no less secure. What we really need is access control systems that do not depend on the user having extensive computer security knowledge or an extrordinary memory.

belli_bettens
belli_bettens

your comment doesn't really contribute to the knowledge of this article, nor does it questions its contents. Please, quit wasting my time.

apotheon
apotheon

You beat me to it on basically every point I was going to make, with the exception of this: Keyloggers and social engineering are not reasons to avoid using passwords. They're reasons to think before you act. They're reasons to know something about how to secure your computing environment, intelligently, and to avoid circumventing the security protections that environment provides. Period. The whole article was absurd, and pretty typical. As I said in another TR article, "Don't Be Fooled By The Argument Against Unique Passwords" [1] . . . QUOTE: These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice: QUOTE: * Don't use strong passwords! Just use whatever you'll remember! QUOTE: * It's okay to use one password for everything as long as it's a strong one! QUOTE: * You don't have to use a strong password as long as it's uncommon! It's usually someone who has just barely learned enough about security to be dangerous, and has sometimes just barely learned enough about some other technology he or she thinks can make passwords obsolete to assume he or she understands it without, y'know, actually understanding it. That's exactly what has happened here, of course -- behavioral profiling is no silver bullet and, as you pointed out bboyd, is only suitable as an enhancement to the security provided by authentication common multifactor authentication methods (and not as a replacement for them). The problem with passwords is merely one of education and UI, and not endemic to passwords themselves at all. I have written about "How To Get People To Use Strong Passwords" [2] here at TR as well, and about how to get people to care enough to actually employ their brains with regard to security in "Like Passwords For Chocolate, Coming Soon To A Security Theater Near You" [3]. In that latter case, I made the point that: QUOTE: The biggest problem with password security today is not that they are too long and too hard to remember. In fact, "How to get people to use strong passwords" [2] explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in "How does bad password policy like this even happen?" [4], though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in "Don't be fooled by the argument against unique passwords" [1]. QUOTE: The biggest problem with password security today is simple: QUOTE: Nobody cares. You need to do three things to make sure people's data, finances, and other digitally-exposed resources are secure: 1. Educate them. 2. Get them invested. 3. Give them control. Part of both points 2 and 3 is making things easy. That's where selling people on password managers first and foremost, rather than the passwords themselves, comes in. --- NOTES: 1. http://blogs.techrepublic.com.com/security/?p=4739 2. http://blogs.techrepublic.com.com/security/?p=5366 3. http://blogs.techrepublic.com.com/security/?p=5368 4. http://blogs.techrepublic.com.com/security/?p=528

apotheon
apotheon

It might contribute to the future value of writing at TR, if anyone is listening. This comment by "chip" is something I'll keep in mind in the future, writing for other venues.

Jordon
Jordon

Since when has "Comments" been defined as a receptacle for contributory knowledge? A comment is nothing more than a comment. And FWIW, his comment does nothing BUT question the articles content.

SkyNET32
SkyNET32

"Keyloggers and social engineering are not reasons to avoid using passwords". Also, I think behavioral systems are better suited to the corporate environment than the common home user. Yes, phishing is a problem in both worlds, but a behavior system would probably be more effective in the corporate environment, as Dominic states, since employees can have specific roles. But, even then its only as effective if they in fact, stick to those roles; the general user (as in the example of the credit card user) tends to change their behavior more often than not, regardless of what research the card companies state; I tend to think their research is dated too. Empoyees can very well change their behavior as well, even unintentionally. It may be worth it to utilize both models, (password systems and behavioral systems) and not just do away with password systems? Bah....What do I know.... :(