The Problem with Passwords

I unlock my smartphone with a fingerprint, which is pretty secure. Owners of the new Apple iPhone X unlock theirs with their faces – which is reported to be hackable with a mask. My tablet is unlocked with a six-digit numerical code, which is better than four digits or a pattern. I log into my laptop with an alphanumeric password. Many online services, including banks and SaaS applications, require their own passwords.

It’s a mess! Not the least because humans tend to reuse passwords, so that if a username and password for one service is stolen, criminals can try using that same combination on other services. They get your email and password for some insecure e-commerce site? They’ll try it on Facebook, LinkedIn, eBay, Amazon, Walmart.com, Gmail, Office 365, Citibank, Fidelity, Schwab… you get the idea.

Two more weaknesses: Most people don’t change their passwords frequently, and the passwords that they choose are barely more secure than ABCD?1234. And while biometrics are good, they’re not always sufficient. Yes, my smartphone has a fingerprint sensor, but my laptop doesn’t. Sure, companies can add on such technology, but it’s a kludge. It’s not a standard, and certainly I can’t log into my Amazon.com account with a fingerprint swipe.

Passwords Spell Out Trouble

The 2017 Verizon Data Breach Report reports that 81% of hacking-related breaches leverage either stolen or weak passwords. That’s the single biggest tactic used in breaches – followed by actual hacking, at 62%, and malware, at 51%.

To quote from the report: “… if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.”

About retailers specifically — which is where we see a lot of breaches — Verizon writes, “Their business is their web presence and thus the web application is the prime target of compromise to harvest data, frequently some combination of usernames, passwords (sometimes encrypted, sometimes not), and email addresses.”

(I am dismayed by the common use of email address instead of a unique login name by many retailers and online services. That reduces the bits of data that hackers or criminals need. It’s pretty easy to figure out my email address, which means that to get into my bank account, all you need is to guess or steal my password. But if my login name was a separate thing, like WeinerDogFancier, you’d have to know that and find my password. On the other hand, using the email address makes things easier for programmers, and presumably for users as well. As usual, convenience beats security.)

Too Much Hanging on a Single Identity

The Deloitte breach, which was discovered in March 2017, was succeeded because an administrator account had basically unfettered access to everything. And that account wasn’t secured by two-factor authentication. There were apparently no secondary password protecting critical assets, even from an authenticated user. As the Guardian wrote in “Deloitte hit by cyber-attack revealing clients’ secret emails,”

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. The account required only a single password and did not have “two-step“ verification, sources said. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform. In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.

Sigh. Unfortunately, there are no universal solutions to the password scourge. However, there are some best practices:

  • Don’t trust any common single-factor authentication scheme completely; they can all be bypassed or hacked.
  • Require two-factor authentication from any new device, for access outside of normal working hours or geographies, or potentially even a new IP address.
  • Look into schemes that require removable hardware, such as a USB dongle, as a third factor.
  • Secure valuable assets, such as identity databases, with additional protections. They should be encrypted and blocked from download.
  • Consider disabling remote access to such assets, and certainly disable the ability to download the results of identity or customer database searches.
  • If it’s possible to use biometrics or other hardware-based authentication, do so.

Passwords are B.S.

You might enjoy this riff on passwords by Jeff Atwood in his blog, Coding Horror. Be sure to read the comments.