Story image

Passwords: They're as useless as the 'g' in lasagna

24 Apr 18

Since the dawn of the digital age, passwords have been the number one way to authenticate users into computer systems. Early on, when people referred to security, what they were really referring to was a password database that simply stored a user’s recorded password and compared it to what the user submitted when they logged in. Did they match? Great, you’re in.

Fast forward to today and passwords still haven’t gone away, albeit with a few enhancements. Using mathematics, the password is scrambled. It might be “salted” (mixed with randomness). It is likely “hashed” (fingerprinted as a unique numerical value).

To the user, it’s still just a password. And users need dozens of them. Worse still, passwords must be complicated. Users aren’t allowed to write them down or use the same one repeatedly, and many systems require that the user change their password every few months. Couple that with users needing them for both work-related and personal uses and the strain of passwords is self-evident.

Remembering passwords isn’t even the biggest issue. They’re also terrible security. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of hacking-related breaches leveraged either stolen or weak passwords. The 2018 DBIR report was even more succinct, describing passwords as being ‘as useless as the “g” in lasagna’.

Sceptical? Then let’s have a quick look at what a hacker might need to steal your password (other than simply tricking you into giving it to them). The hacker might listen to your traffic on your network. The hacker might find a slip of paper where you’ve written it down. The hacker might trick you into installing bad files, such as malware, onto your computer. Or they might simply write their own computer program to automatically “guess” all possible password combinations. That’s called brute-forcing and is relatively easy to do with modern-day PCs.

The 2013 Twitter breach is one of many high profile examples of this happening in the real world. Hackers may have, according to Twitter, had access to user information – including usernames, email addresses, session tokens and encrypted/salted versions of passwords – for a quarter of a million users.

Another high profile incident involved Facebook founder Mark Zuckerberg. Zuckerberg’s Twitter, and Pinterest accounts were hacked in 2016, with a group called OurMine Team claiming responsibility. His accounts were compromised because he re-used the password “dadada”. Six characters, all lowercase. If anyone should know better, it’s Zuckerberg.

This example is instructive for a number of reasons. It’s not enough that an organisation needs to worry about getting breached themselves. They also need to be concerned about other services that they may or may not have a relationship with. Security can be thought of as an ecosystem, or better yet, a stack of dominos. When one falls, several others fall too.

So what’s the solution to securing access if passwords aren’t the answer? The first step is for enterprises to use the data they already have on their users. Today, IT managers know who their users are, where they are, the device or devices they’re using and more. Collating this information, IT managers can monitor a user’s behaviour to build a profile of what’s normal activity and what’s not.

Take for example a CFO wanting to read profit and loss reports. They might do it in the office, at home or even in transit. IT knows this about the CFO and can confidently grant access. But if the same request came from a low-level employee, accessing the data at an odd hour from an unknown device, then the access attempt should be flagged and access blocked.

These identity insights are even more powerful when combined with technologies providing visibility into other risk factors, such as malware, ransomware and unpatched software. Again, machine learning and analytics can identify potential malware, and network forensics can flag suspicious traffic from a particular device.

By co-ordinating a response and using a list of devices and users that are being investigated as being potentially compromised, the access management team can adapt their log-in controls. They can block access to a suspicious resource or ask for more proof that a user is who they say they are. This could take the form of something hard to attack, like a biometric.

The final step is to understand the business context. An example of this is identifying whether an application is a gateway to other resources within the organisation. If an attacker gains access to a web server (or an Internet of Things device), could that give them a pathway to more sensitive data? Business context also means knowing what data is valuable, and what is not.

To tap an earlier example, if there’s a threat pathway to gain access to sensitive profit and loss statements, then that requires an immediate response. But if it’s merely giving access to an intern’s resume, then it doesn’t require such a high level reaction.

By taking these steps, an organisation can secure itself against attacks without putting onerous password requirements onto its users or needing to have constant (and fallible) human intervention into access attempts. Today’s systems are too complex, too spread out and without the traditional borders such as firewalls that used to keep organisations safe. Using machine learning and automation, access can be simplified for users, while protecting organisations and their crown jewel data assets.

Article by RSA senior security architect APJ, Craig Dore.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.