Passwords: They're as useless as the 'g' in lasagna
Since the dawn of the digital age, passwords have been the number one way to authenticate users into computer systems. Early on, when people referred to security, what they were really referring to was a password database that simply stored a user’s recorded password and compared it to what the user submitted when they logged in. Did they match? Great, you’re in.
Fast forward to today and passwords still haven’t gone away, albeit with a few enhancements. Using mathematics, the password is scrambled. It might be “salted” (mixed with randomness). It is likely “hashed” (fingerprinted as a unique numerical value).
To the user, it’s still just a password. And users need dozens of them. Worse still, passwords must be complicated. Users aren’t allowed to write them down or use the same one repeatedly, and many systems require that the user change their password every few months. Couple that with users needing them for both work-related and personal uses and the strain of passwords is self-evident.
Remembering passwords isn’t even the biggest issue. They’re also terrible security. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of hacking-related breaches leveraged either stolen or weak passwords. The 2018 DBIR report was even more succinct, describing passwords as being ‘as useless as the “g” in lasagna’.
Sceptical? Then let’s have a quick look at what a hacker might need to steal your password (other than simply tricking you into giving it to them). The hacker might listen to your traffic on your network. The hacker might find a slip of paper where you’ve written it down. The hacker might trick you into installing bad files, such as malware, onto your computer. Or they might simply write their own computer program to automatically “guess” all possible password combinations. That’s called brute-forcing and is relatively easy to do with modern-day PCs.
The 2013 Twitter breach is one of many high profile examples of this happening in the real world. Hackers may have, according to Twitter, had access to user information – including usernames, email addresses, session tokens and encrypted/salted versions of passwords – for a quarter of a million users.
Another high profile incident involved Facebook founder Mark Zuckerberg. Zuckerberg’s Twitter, and Pinterest accounts were hacked in 2016, with a group called OurMine Team claiming responsibility. His accounts were compromised because he re-used the password “dadada”. Six characters, all lowercase. If anyone should know better, it’s Zuckerberg.
This example is instructive for a number of reasons. It’s not enough that an organisation needs to worry about getting breached themselves. They also need to be concerned about other services that they may or may not have a relationship with. Security can be thought of as an ecosystem, or better yet, a stack of dominos. When one falls, several others fall too.
So what’s the solution to securing access if passwords aren’t the answer? The first step is for enterprises to use the data they already have on their users. Today, IT managers know who their users are, where they are, the device or devices they’re using and more. Collating this information, IT managers can monitor a user’s behaviour to build a profile of what’s normal activity and what’s not.
Take for example a CFO wanting to read profit and loss reports. They might do it in the office, at home or even in transit. IT knows this about the CFO and can confidently grant access. But if the same request came from a low-level employee, accessing the data at an odd hour from an unknown device, then the access attempt should be flagged and access blocked.
These identity insights are even more powerful when combined with technologies providing visibility into other risk factors, such as malware, ransomware and unpatched software. Again, machine learning and analytics can identify potential malware, and network forensics can flag suspicious traffic from a particular device.
By co-ordinating a response and using a list of devices and users that are being investigated as being potentially compromised, the access management team can adapt their log-in controls. They can block access to a suspicious resource or ask for more proof that a user is who they say they are. This could take the form of something hard to attack, like a biometric.
The final step is to understand the business context. An example of this is identifying whether an application is a gateway to other resources within the organisation. If an attacker gains access to a web server (or an Internet of Things device), could that give them a pathway to more sensitive data? Business context also means knowing what data is valuable, and what is not.
To tap an earlier example, if there’s a threat pathway to gain access to sensitive profit and loss statements, then that requires an immediate response. But if it’s merely giving access to an intern’s resume, then it doesn’t require such a high level reaction.
By taking these steps, an organisation can secure itself against attacks without putting onerous password requirements onto its users or needing to have constant (and fallible) human intervention into access attempts. Today’s systems are too complex, too spread out and without the traditional borders such as firewalls that used to keep organisations safe. Using machine learning and automation, access can be simplified for users, while protecting organisations and their crown jewel data assets.
Article by RSA senior security architect APJ, Craig Dore.