Video Screencast Help

The Password Problem: A Call for Stronger Authentication

Created: 10 Jan 2013 • Updated: 10 Jan 2013 • 7 comments
Marty Jost's picture
+1 1 Vote
Login to vote

Passwords must die.

At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation

For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.

Given all the password problems we’ve seen lately, it’s time to rethink the situation. Passwords are clearly limited. So what’s the alternative to traditional passwords?

The good news is that technology is catching up to the password problem. A variety of solutions are available from Symantec and others that take advantage of strong authentication technology to keep user accounts and information secure. In fact, these have been around for years, since the days of the first security tokens that generate one-time passwords on a small, portable device. These keep risks lower even in the event that a hacker gains access to a machine, minimizing the opportunity to steal information. But now that we have nearly every employee in the enterprise accessing resources remotely, some organizations feel if everyone carried around a token, they would constantly be lost or stolen, and it would be too hard to manage.

One of today’s commonly used strong authentication alternatives is the use of knowledge-based systems. We’ve all seen this at work on websites such as our bank, where in addition to our password we are asked other security questions based on something you know. This is better than a password alone, but there are certainly shortcomings. With the large amount of personal data we are making public on social media profiles in particular, it’s often not too difficult to find the name of your pet. This limits the value of knowledge-based authentication. Just ask Mat Honan whose attackers were able to piece together information from daisy-chained accounts in order to successfully take over his digital life.

A new system employed by Symantec is risk-based authentication. The risk-based method analyzes user behavior to determine the proper amount of security to apply depending on the current situation. For example, it will analyze the user’s location and the device being used to attempt logging in. When it’s the user’s workstation in corporate headquarters, and they are accessing relatively unimportant information, this would be considered a “low-risk” situation and little or no additional security is required. But if the user is requesting access on an unknown device from an IP address in another country, or trying to access financials or intellectual property, that will send up red flags, depending on the parameters enabled in the system. The user can then be required to perform additional authentication measures, in addition to entering a password, in order to be granted access.

There are a few other promising methods of strong authentication on the horizon that are making their way into the real world. “Somewhat continuous” authentication not only looks at behavior while logging in, but during the session itself to make sure you remain the person in control, which is useful in cases of highly sensitive information in the world of espionage. And other biometric-based methods are in development to further ensure user identity.

Gartner probably had a point.  The days of exclusively using simple password protection may be numbered. We’ve seen enough examples to know that it’s not a matter of if a password-only protected account will be compromised, but when. We’re already seeing large consumer services go this route, with the Googles and Yahoos of the world allowing users to turn-on optional two factor authentication. That said, moving to a world where these alternative authentication systems are the norm won’t happen quickly, so don’t be surprised to see attackers entering networks with legitimate, albeit compromised, access credentials for the time being. Moving forward, businesses can’t afford to take any chances, and it’s time that we find the strong authentication system that will work best for us. Until then, most will continue relying on a security control that doesn’t work. Peace of mind will only begin where simple passwords end.

Comments 7 CommentsJump to latest comment

nate.hall's picture

I think the biggest thing preventing most comapnies is the additional price for a solution other than passwords. As cheap as it may or may not be, it costs something and thats tough to get approved. Using passwords is free and as far as many C level employees are concerned passwords are sufficient enough.

+6
Login to vote
Rob Glickman's picture

Great post Marty. The related challenge is the intersection between security and convenience, and as we see many times, the latter typically trumps the former until a hard lesson is learned. I assume that using the browser-enables password saving features are also not very secure?

0
Login to vote
Leroy Scandal's picture

I often advise passwords phrases like

"3BlackDogs", "takeThe2rdLeft", those are easy to remember and tough to crack.

In my experience it is the passwords that have been left the same for four years that get compromised most often.

I agree with the idea of authentication based on risk, people now have passwords in many places they don't really need a password. It's the sea of passwords that makes people get lazy I believe.

 

A system has to be easy enough for people to not try to get around it.

 

This is a tough one, once you introduce human behavior, it gets hard.

 

Good Post.

+6
Login to vote
liezelgordoncielo's picture

Passwords can simply could be hacked by someone who is highly professional in attacking other system. Problem you will not able to access your own account. One thing i know is that do not use passwords that are just so simple and readable.

----------------------------------------

0
Login to vote
MaskaTips's picture

I believe the most important thing preventing most companies is the additional price for a solution other than passwords. As cheap as it may or may not be, it costs something and thats tough to get approved. Using passwords is free and as far as many C level employees are concerned passwords are sufficient enough.

0
Login to vote
Marty Jost's picture

Yes, improving the built in security of free passwords has a cost. 

The business reason to do it is that it costs much more if you have some kind of breach.  A useful tool that can quantify this for the C level decision maker is available from a 3rd party research firm named Ponnemon who does an annual Cost of a Data Breach study to which Symantec subscribes.  The report is available here on our website:  http://www.symantec.com/about/news/resources/press...

In my opinion, improving authentication security is one of the more important precautions a business should take.  If an intruder compromises a user's authentication credentials they have very broad access to an organization's resources.  As IT professionals we can do our employers a great service by helping them understand that.

+4
Login to vote
angelica.ivans's picture

Like keys to a door, your password is key to your business.  With the development of technology and the increasing threats of all sorts, I would definitely agree to this concept of a no password system.  Sort of a keyless-engine-start car ish.

 

----------------------------------------------------------

-4
Login to vote