Security: Passwords Are Still the Problem

Despite an endless series of breaches, the problems with passwords are really very basic, says Fahmida Y Rashid

Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords.

Security experts recommend taking a multilayered approach to security. Instead of relying on a single point of failure, organisations should be implementing several mechanisms to make it harder for cyber-attackers to steal sensitive, confidential data, Mike Yaffe, government security strategist at Core Security, told eWEEK.

Considering how easy it has become to steal passwords, using phishing emails or by installing keyloggers on a target computer, relying solely on passwords to protect data is very risky, Yaffe said.

Security versus usability

Organisations are often leery of putting up any security measures that may affect the user experience and interrupt workflow because they are worried users will get annoyed and go elsewhere. But some tolerance for inconvenience is necessary, since it will result in a “significant boost” in security, Yaffe said. Many banks are rolling out additional protections such as image verification and hardware tokens, which may feel a little tedious, but Yaffe said he’s willing to put up with them because he would rather be overprotected than underprotected.

Other protections include multiple security questions, forcing users to change passwords regularly, and checking to ensure the passwords aren’t dictionary words or being reused.

Attackers should have to get past multiple gatekeepers before they even get to the database, Josh Shaul, CTO of Application Security, told eWEEK. Organisations should be combining all the security layers that will help trap attackers, or at least slow them down enough by raising enough flags for the IT department to notice something is wrong, according to Shaul.

There’s no such thing as “security nirvana,” but organisations can try to foil attackers by making their environments harder to breach than the payoff may be worth, Yaffee said. Motivated attackers will always find a way, but there’s no need to make it easy.

That applies equally to users. Angry users blame the vendor for not taking proper security measures after a data breach, but the fact remains that users must share the blame. While Gawker and Sony were both criticised for running obsolete software and not protecting password data stored in the database, a recent analysis of passwords stolen from those two companies reveals a significant degree of overlap.

Software architect and security researcher Troy Hunt analysed the torrent of files released by Lulzsec shortly after the group hacked Sony Pictures and Sony BMG Music and the password lists that another hacker group, Gnosis, leaked in December after hacking Gawker’s commenting database. According to Hunt’s analysis, 88 people were in both data sets with the same email address, and 67 percent of them used the same password.

Admittedly, 88 people is a very small number, considering there were 37,608 accounts in the Sony files and more than 188,000 accounts from Gawker. However, the two sites are pretty independent in terms of the kinds of users they attract, Hunt noted. For skeptics who may not consider this significant, Hunt identified “well over” 2,000 users who had accounts with both Sony Pictures and Sony BMG using the same email address. Hunt found 92 percent of the users had the same password across both accounts.

Based on these findings, it’s reasonable to assume many of these user-name or email combinations with the password could turn out to be the “key” to access other Gmail, eBay and Facebook accounts. “There’s a statistically good chance that the majority of them will work with other Websites,” Hunt said.

Attackers are already doing just that, testing leaked passwords against other Web services. Lulzsec recently breached the Website of Infragard, a partnership between the FBI and private security firms, and obtained the email database. It turned out one of its members, Karim Hijazi, was using the same password for his personal Gmail and work email accounts. Hijazi also happened to be the CEO of white-hat hacking organization Unveillance. Password reuse also helped hacktivist collective Anonymous when it went after HBGary Federal in February.

Security that depends on users having strong, unique passwords is not enough, not when modern-day malware can easily intercept that information. Security experts often say user authentication should be a combination of what the user knows, such as a password, and what the user has, such as a hardware token, that randomly generates a passcode every 30 seconds. Some major Websites, including Google and Facebook, have implemented two-factor authentication based on user phones to access their services.

For Google’s Gmail, users who have opted into two-factor authentication enter their user name and password as usual, and then are directed to a “verification” page where they enter a six-digit code that is generated by an application on the smartphone or sent via Short Message Service.

Some banks turn to the cloud to handle two-factor authentication, Ken Hunt, Vasco Data Security CEO, told eWEEK. Vasco customers issue hardware tokens, similar to the SecurID tokens from RSA Security, which randomly generate pass codes that users enter on online banking sites. The DIGIPASS cloud service authenticates users before allowing them to access applications, Hunt said.

Ray Wizbowski, global director of marketing and communications in the security business unit at Gemalto, takes that a step further for cloud-based applications. Wizbowski suggests that authentication should be a combination of the physical device, something the user knows, and “something we are.” Identity-based information would provide a “stronger verification” that the user is really the one supposed to be accessing the cloud data, Wizbowski said.