Security optimize

Security beyond passwords: What's next?

Patrick Lambert looks at the rash of stolen password exploits and how websites are trying to move beyond passwords only as a security check.

We've talked a lot about passwords. In fact, they have been in the news like crazy in the past couple of weeks. First there was the LinkedIn incident, where over 6 million LinkedIn account names and unsalted SHA1 passwords were released. The fact that they were unsalted meant that it was trivial for hackers to recover all of the basic ones, and because they were hashed using SHA1, it meant that most nine-character or less passwords could be cracked inside of a few hours. Then, we saw the same story repeat itself for various other companies like Last.fm and the popular matching site eHarmony. In each case, we see what happens when a hacker manages to get a hold of one of the most sensitive databases a company can hold on behalf of its users -- the account names and passwords. And these are fairly large sites, so it really can happen to anyone. When a user doesn't lose their account credentials because of malware or brute force, they never know when they will lose them because the company itself gets exploited by a security vulnerability. That's why many security experts have been pushing companies and sites to move beyond simple passwords.

Let's face it, user names and passwords are a crappy way to deal with account security. We're basically relying on having every single user to remember an obscure series of numbers and letters in order to log in. There are so many potential problems with this, that it's no surprise we've had so many breaches in the past years. Users can forget their passwords, which means all sites need a password recovery link; these passwords may be weak, which means they can be brute forced; and any time the secret string gets out in the wild, then it's too late, and users are left scrambling to change their passwords before their accounts are exploited for some nefarious reason. And even sites that think they are doing everything right can be wrong, because the bad guys always go for the weak link, and all they need is one hole to enter, whether that's exploiting a weak password recovery tool, finding a way to place malware on users' computers with phishing attacks, or finding a weak point of entry into the company network, and then stealing the master database. So it's clear that the time has come to move to other models.

Rely on a third-party

One model is to use a third-party authentication service. A lot of sites don't even want to bother with accounts, along with all the hassle of keeping local security around their password databases; instead, they rely on things like Facebook or Twitter logins. This has a number of advantages like relying on a much bigger, most likely more secure site to deal with security, and offering the user the option to log in without having to create a new user account for your site. Of course, there's also a big disadvantage in that you don't control those accounts, and you rely completely on that third-party company. While they are happy to provide you the service, they could cut you off at any time, and aren't responsible for any breach. While this is a convenience that many sites adopt, from a security standpoint. it's debatable whether the benefits outweigh the disadvantages.

Two-factor authentication

Instead, a much more secure way to deal with passwords is to add a two-factor authentication system. Perhaps the most well known is Google, which implemented its own system just a few years ago. Now, a lot of sites are using the same model, where they provide either a physical token or a smartphone app, and users simply produce a new token any time they want to log in. Of course, it is a bit more inconvenient for users, but as most security researchers know, security and convenience are usually opposites. Here, the benefits of having a two-factor authentication system are very clear: nobody can get into your account by obtaining your password, unless they also somehow manage to get your phone. While you may think that for a smaller site it's not worth creating a whole token or smartphone app, it's actually much simpler than that. Most people don't realize that the Google Authenticator, an app available for all major smartphones, is using fully open source code, and allows anyone to add identification tokens. There is demo code out there showing that it's possible to make your own two-factor authentication login system using the Google Authenticator in just a few minutes.

Of course, like anything else in security, don't assume that any one system is fully secure and you will never have to worry again about it. Just recently, someone actually found a way to bypass Google two-factor authentication to get into a company. As a company executive explained, it seems like the hacker went after the phone company in order to redirect the voice mail of the administrator to his own number, so that he could get Google to send him an authentication code, and the real administrator wouldn't be aware of it. So again, while the Google system was fine, because AT&T got socially-engineered by the hacker, that was the one weak point in the chain, and everything else came crashing down around it. So like anything else, it's always a matter of using the best methods you can, without inconveniencing your users too much. There's no question that two-factor authentication is a good system to use, but remaining always vigilant with sound auditing policies, intrusion detection systems, well stored salted passwords, and trained staff, is also crucial.

Are we stuck with passwords for the foreseeable future or do you expect to see more advanced methods of authentication rolled out?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

17 comments
jamesbrown126
jamesbrown126

I agree with the author. User name and password-based account security is quite vulnerable to breaches. Security systems like two-factor authentication add another layer of security beyond username and password. This approach requires the presence of two of the following three authentication factors: Something the user knows (password) Something the user has (phone number) Something the user is (fingerprint) http://www.telesign.com/products-demos/telesign-2fa

Branden_B
Branden_B

It is true, we live in a password world, but people need to understand passwords are not secure in themselves. A strong password does not replace the need for other effective security control. People need to be thinking less about just strong passwords and more about secondary steps that need to be implemented, like some form of 2FA were a user can telesign into their account and have the security knowing they are protected. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to be compromised, the user would be protected because if the people who stole the password were to try to use the ???stolen??? password and they don???t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

cnichols
cnichols

This article got me thinking about facial recognition. I did a little digging and came up with this solution: http://luxand.com/blink/ Since most of the new PC's I'm working with have built in web-cams, I'm thinking of using this as a way to improve password security without burdening my users to remember them.

fdcampbell
fdcampbell

The problem is real because, currently, security requires almost superhuman intellectual involvement (or unsecure work-arounds). I have a three page spreadsheet which contains over 200 user IDs and passwords. In a typical day I must consult it several times in order conduct my business. My personal paranoia is such that I do not dare to use any of the "password management" programs. I do recognize that these programs generate nearly "uncrackable" passwords and then stores them securely. But, my terror is that somehow these will become unavailable to me. Can anyone reassure me that my fears are baseless? Are biometrics that answer? Or some variation of a dongle? What if the dongle is lost or fails or I scar my thumb (or retina)? I look to better minds to come up with better (and more user friendly) security.

flared0ne
flared0ne

At the moment, password contents typically only consist of printable alphanumeric characters. Various products exist offering biometric inputs to the password process, others are beginning to offer gestural inputs. Personally, if we were able to add keyboard and cursor control characters (non-printable data), possibly mouse-clicks and gestures, to a password string ("type, type, type, delete key, type, type, backspace, type, mouse-click-in-the-middle, type, right-arrow, type, shift handwave", "Enter") we would be approaching "impossible to fake". Granted -- that would simply relocate the "weakest link" point to somewhere else in the chain, making this yet another example of the "neverending battle".

WATKINS12
WATKINS12

I like Paypal's version of two-factor logins. I use a password and then press a button on a key chain device to get the current 6 figures to append to my password. I have used this for several years and it works great. Nobody knows which 6 digits are coming up at a given moment.

tmccaff
tmccaff

Yep, Usernames and passwords are not the best. However, it is something that the general public has adapted to, albeit begrudgingly. Now if the general public woudl not use the SAME username and password for every site they access, it might be a littel better. Biometric is a long way off before it is really secure. When HP first rolled out the fingerprint scan on laptops, I knew two brothers who could sign into each others machine becuase their fingerprints were "close enough." Facial recognition that recently come out is useless ... if I shave I have to recreate my scan. If I get a hair cut, it doesn't recognize me. Enforcing/requiring stronger passwords will be our first step (and passw0rd should automatically be flaggged as unusable).

alienpirate
alienpirate

Getting someone else to be responsible for a sites password / access like google or twitter reminds me of a story with regard to Singer sewing machine needles and Coats sewing thread I attended Singer to see how their needles were made, as a representive of JP Coats - we were using their needles to test our thread because 'we knew Singers Needles' were the best - on arrival we discovered they were using 'Coats sewing thread' because they Knew 'Coats thread' was the best - we all had a good laugh knowing how bad our own products were - going back to google and twitter, I Wonder if their research guy's are having the same laugh over their own secutrity products.... The lesson don't reply on the other guy for security - for he may be relying on yours!

Dave51
Dave51

So we could always start using more than one password hashed to different secure servers using different methods, get the second wrong and you have to restart with the first, timed out for more time after each failed attempt.

wizard57m-cnet
wizard57m-cnet

Even with the known problems with this system, it has become so engrained it will take a major push by a lot of people to change. Furthermore, most of the replacements I've read about still have a common weak spot...the human factor. That's why social engineering has become a much bigger problem than actual brute force break-ins.

bboyd
bboyd

Search user on various electronic places such as (Facebook, DMV, etc.) print picture, hold up in front of camera. Done. Alternately surreptitiously photo user and then print and use that. Look on the company pamphlet hey that's the company president....oh and hey Janet got employee of the month and is posted on the web page. So as a second form factor (something you have) its a great adjunct to passwords (something you know). As a replacement for password less so. I think its a great way to generate login ID not a second form factor. Same with USB Key tokens.

bboyd
bboyd

The good ones have backups and recovery methods. I won't advise to any specific manager but i like the ones that make a USB key fob for carrying.

HAL 9000
HAL 9000

Schmetz has made the best needles for a very long time now. Back in 74 when I was working with sewing machines the Singer Needles would break and you where likely to end up with bits in your eyes, that never happened with the Schmetz. And having a doctor using a Hypo Needle to scrape the bits of broken rusting needle out of your eyes has to be experienced it's indescribable. Coats threads I'll leave alone as I have not looked at that in a very long time. ;) Col

spdragoo
spdragoo

We have a system we use at work that has a 2-stage login process, with different passwords at each stage.

SKDTech
SKDTech

Social Engineering has always been the biggest problem in securing computer systems. The human link is the weakest link.

cnichols
cnichols

Good points. I will test those.

bboyd
bboyd

Watched a show that demonstrated NSA FR software that included duress analysis and voice sampling. Doubt much more information on that system is available though. May have been something like 60 Minutes or PBS science now.