Insecure Passwords Or Insecure People?


Passwords. For all the talk about two-factor and multi-factor authentication, to mainstream adoption of biometrics, passwords are not going away. Whilst there are more secure alternatives and other authentication methods that can be used alongside the humble password, like it or not, the password is going to be around for a long time to come. More focus is needed on how to make passwords “work.” For the vast majority of applications, they’re all we’ve got.

The truth is there’s nothing wrong with passwords. The problem is people. Users select passwords that are too simple, too short and too predictable. Analysing actual passwords published from large scale attacks (including Sony and LinkedIn) show that more than 50% are fewer than 8 characters, 50% contain only numbers or only letters, and only about 1% contain a non-alphanumeric character.

Cracking more than 80% of user-selected passwords is relatively easy, even if they’re hashed in a database when stored. Even if salted and hashed, a high percentage will still be susceptible to brute force attack; the time needed to obtain the passwords becomes purely a function of the compute power available to the hacker.

To make things worse (for themselves), users reuse the same passwords across different systems and services. Attackers who gain access to one service can then sign in freely to email, social media, online shopping and even mobile phone and bank accounts. Despite attempts to educate people on the importance of using even relatively long, complex, random unique strings, they don’t. And they rarely change them.

So what if we could improve the way in which passwords are implemented and take responsibility for selecting and changing them regularly away from the user entirely? Security – and the user experience – would be improved significantly. Password management solutions are not new and fall broadly into two categories:

  • Consumer password managers that help individuals create, store and recall passwords, but still rely on the user to change them regularly. Users still know what their passwords to systems and services are.
  • SSO solutions that cater to the needs of enterprises and the applications they use. Whilst SSO solutions cover major business applications that support federated identity standards, they often don’t support the thousands of non-standard, smaller web applications.

If an SSO solution can automate the selection and changing of passwords – and ensure that passwords are not only as long and strong as the applications will support but also unique across all accounts – then the inherent human weakness is minimised or eliminated.

This moves passwords closer to the tokens and assertions that are used in federated identity and authentication standards, including SAML and WS-Federation. Pre-defined trust between the identity provider and service provider, typically based on a shared certificate, is mimicked by either having the user enter their current (initial) password so that the SSO solution can subsequently change it, or the SSO solution may provision the account and set the password from the outset.

There is a secondary benefit to improving the strength and uniqueness of credentials on individual user accounts. A significant percentage of large-scale breaches share something in common. According to the Verizon 2014 Data Breach Investigations Report (DBIR), two-thirds of breaches exploit weak or stolen passwords – compared to 76% in 2013 (perhaps education is starting to have an effect after all).

The attack on JP Morgan affecting 75 million customer accounts started with the compromise of an employee’s username and password for a “web development server.” In the now well-documented anatomy of an attack, once initial access had been gained, the attackers escalated privilege, obtaining credentials to further administrative accounts to eventually effect the large scale theft.

If automated password management had been applied to these administrative accounts, then the passwords would have been stronger and taken longer to obtain, with a higher likelihood that they would have been changed before being used. Likewise if customer account passwords were also auto-generated, unique and changed frequently, their value to hackers would have been lower.

The risk of experiencing a data breach is now higher than ever. Removing human interaction with passwords and automating their selection and change is a major step forward on several levels. It protects the individual by ensuring that when the next large scale breach occurs the password stolen is unique and not reused across multiple services and – if applied to internal accounts on internal systems – may slow down the attacker and even prevent the breach from happening at all.

Richard Walters is CTO of Web application security vendor SaaSID, prior to which Richard was CTO and Director of Business Development at Integralis, Europe's largest independent security integrator. Richard has a uniquely thorough understanding of risk management, standards, regulations and legislation such as ISO/IEC 27001/2, PCI DSS, and the DPA, after spending many years consulting with FTSE100 companies.