sb-as logo
Story image

Passwords: They're as useless as the 'g' in lasagna

24 Apr 2018

Since the dawn of the digital age, passwords have been the number one way to authenticate users into computer systems. Early on, when people referred to security, what they were really referring to was a password database that simply stored a user’s recorded password and compared it to what the user submitted when they logged in. Did they match? Great, you’re in.

Fast forward to today and passwords still haven’t gone away, albeit with a few enhancements. Using mathematics, the password is scrambled. It might be “salted” (mixed with randomness). It is likely “hashed” (fingerprinted as a unique numerical value).

To the user, it’s still just a password. And users need dozens of them. Worse still, passwords must be complicated. Users aren’t allowed to write them down or use the same one repeatedly, and many systems require that the user change their password every few months. Couple that with users needing them for both work-related and personal uses and the strain of passwords is self-evident.

Remembering passwords isn’t even the biggest issue. They’re also terrible security. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of hacking-related breaches leveraged either stolen or weak passwords. The 2018 DBIR report was even more succinct, describing passwords as being ‘as useless as the “g” in lasagna’.

Sceptical? Then let’s have a quick look at what a hacker might need to steal your password (other than simply tricking you into giving it to them). The hacker might listen to your traffic on your network. The hacker might find a slip of paper where you’ve written it down. The hacker might trick you into installing bad files, such as malware, onto your computer. Or they might simply write their own computer program to automatically “guess” all possible password combinations. That’s called brute-forcing and is relatively easy to do with modern-day PCs.

The 2013 Twitter breach is one of many high profile examples of this happening in the real world. Hackers may have, according to Twitter, had access to user information – including usernames, email addresses, session tokens and encrypted/salted versions of passwords – for a quarter of a million users.

Another high profile incident involved Facebook founder Mark Zuckerberg. Zuckerberg’s Twitter, and Pinterest accounts were hacked in 2016, with a group called OurMine Team claiming responsibility. His accounts were compromised because he re-used the password “dadada”. Six characters, all lowercase. If anyone should know better, it’s Zuckerberg.

This example is instructive for a number of reasons. It’s not enough that an organisation needs to worry about getting breached themselves. They also need to be concerned about other services that they may or may not have a relationship with. Security can be thought of as an ecosystem, or better yet, a stack of dominos. When one falls, several others fall too.

So what’s the solution to securing access if passwords aren’t the answer? The first step is for enterprises to use the data they already have on their users. Today, IT managers know who their users are, where they are, the device or devices they’re using and more. Collating this information, IT managers can monitor a user’s behaviour to build a profile of what’s normal activity and what’s not.

Take for example a CFO wanting to read profit and loss reports. They might do it in the office, at home or even in transit. IT knows this about the CFO and can confidently grant access. But if the same request came from a low-level employee, accessing the data at an odd hour from an unknown device, then the access attempt should be flagged and access blocked.

These identity insights are even more powerful when combined with technologies providing visibility into other risk factors, such as malware, ransomware and unpatched software. Again, machine learning and analytics can identify potential malware, and network forensics can flag suspicious traffic from a particular device.

By co-ordinating a response and using a list of devices and users that are being investigated as being potentially compromised, the access management team can adapt their log-in controls. They can block access to a suspicious resource or ask for more proof that a user is who they say they are. This could take the form of something hard to attack, like a biometric.

The final step is to understand the business context. An example of this is identifying whether an application is a gateway to other resources within the organisation. If an attacker gains access to a web server (or an Internet of Things device), could that give them a pathway to more sensitive data? Business context also means knowing what data is valuable, and what is not.

To tap an earlier example, if there’s a threat pathway to gain access to sensitive profit and loss statements, then that requires an immediate response. But if it’s merely giving access to an intern’s resume, then it doesn’t require such a high level reaction.

By taking these steps, an organisation can secure itself against attacks without putting onerous password requirements onto its users or needing to have constant (and fallible) human intervention into access attempts. Today’s systems are too complex, too spread out and without the traditional borders such as firewalls that used to keep organisations safe. Using machine learning and automation, access can be simplified for users, while protecting organisations and their crown jewel data assets.

Article by RSA senior security architect APJ, Craig Dore.

Story image
Huawei: Corporates must focus on data minimisation and business continuity to mitigate data security challenges
"From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default."More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
A brief history of cyber-threats — from 2000 to 2020
Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts’, but all of them correlating with a change in security behaviour or protection.More
Story image
Online gaming a 'hotbed' for DDoS attacks — report
The latency and availability issues present in online gaming, in particular, presented an attractive target to attackers, in addition to the enduring popularity of gaming in the era of COVID-19.More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
22 billion records exposed from breaches in 2020 — report
The research also found that 35% of the breaches recorded by Tenable were caused by ransomware attacks, while 14% of breaches stemmed from email compromises.More