Story image

Passwords: They're as useless as the 'g' in lasagna

24 Apr 18

Since the dawn of the digital age, passwords have been the number one way to authenticate users into computer systems. Early on, when people referred to security, what they were really referring to was a password database that simply stored a user’s recorded password and compared it to what the user submitted when they logged in. Did they match? Great, you’re in.

Fast forward to today and passwords still haven’t gone away, albeit with a few enhancements. Using mathematics, the password is scrambled. It might be “salted” (mixed with randomness). It is likely “hashed” (fingerprinted as a unique numerical value).

To the user, it’s still just a password. And users need dozens of them. Worse still, passwords must be complicated. Users aren’t allowed to write them down or use the same one repeatedly, and many systems require that the user change their password every few months. Couple that with users needing them for both work-related and personal uses and the strain of passwords is self-evident.

Remembering passwords isn’t even the biggest issue. They’re also terrible security. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of hacking-related breaches leveraged either stolen or weak passwords. The 2018 DBIR report was even more succinct, describing passwords as being ‘as useless as the “g” in lasagna’.

Sceptical? Then let’s have a quick look at what a hacker might need to steal your password (other than simply tricking you into giving it to them). The hacker might listen to your traffic on your network. The hacker might find a slip of paper where you’ve written it down. The hacker might trick you into installing bad files, such as malware, onto your computer. Or they might simply write their own computer program to automatically “guess” all possible password combinations. That’s called brute-forcing and is relatively easy to do with modern-day PCs.

The 2013 Twitter breach is one of many high profile examples of this happening in the real world. Hackers may have, according to Twitter, had access to user information – including usernames, email addresses, session tokens and encrypted/salted versions of passwords – for a quarter of a million users.

Another high profile incident involved Facebook founder Mark Zuckerberg. Zuckerberg’s Twitter, and Pinterest accounts were hacked in 2016, with a group called OurMine Team claiming responsibility. His accounts were compromised because he re-used the password “dadada”. Six characters, all lowercase. If anyone should know better, it’s Zuckerberg.

This example is instructive for a number of reasons. It’s not enough that an organisation needs to worry about getting breached themselves. They also need to be concerned about other services that they may or may not have a relationship with. Security can be thought of as an ecosystem, or better yet, a stack of dominos. When one falls, several others fall too.

So what’s the solution to securing access if passwords aren’t the answer? The first step is for enterprises to use the data they already have on their users. Today, IT managers know who their users are, where they are, the device or devices they’re using and more. Collating this information, IT managers can monitor a user’s behaviour to build a profile of what’s normal activity and what’s not.

Take for example a CFO wanting to read profit and loss reports. They might do it in the office, at home or even in transit. IT knows this about the CFO and can confidently grant access. But if the same request came from a low-level employee, accessing the data at an odd hour from an unknown device, then the access attempt should be flagged and access blocked.

These identity insights are even more powerful when combined with technologies providing visibility into other risk factors, such as malware, ransomware and unpatched software. Again, machine learning and analytics can identify potential malware, and network forensics can flag suspicious traffic from a particular device.

By co-ordinating a response and using a list of devices and users that are being investigated as being potentially compromised, the access management team can adapt their log-in controls. They can block access to a suspicious resource or ask for more proof that a user is who they say they are. This could take the form of something hard to attack, like a biometric.

The final step is to understand the business context. An example of this is identifying whether an application is a gateway to other resources within the organisation. If an attacker gains access to a web server (or an Internet of Things device), could that give them a pathway to more sensitive data? Business context also means knowing what data is valuable, and what is not.

To tap an earlier example, if there’s a threat pathway to gain access to sensitive profit and loss statements, then that requires an immediate response. But if it’s merely giving access to an intern’s resume, then it doesn’t require such a high level reaction.

By taking these steps, an organisation can secure itself against attacks without putting onerous password requirements onto its users or needing to have constant (and fallible) human intervention into access attempts. Today’s systems are too complex, too spread out and without the traditional borders such as firewalls that used to keep organisations safe. Using machine learning and automation, access can be simplified for users, while protecting organisations and their crown jewel data assets.

Article by RSA senior security architect APJ, Craig Dore.

52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
Bluetooth-enabled traps could spell the end for NZ's pests
A Wellington conservation tech company has come up with a way of using Bluetooth to help capture pests like rats and stoats.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."