Has the password aged all that well? While it has been a fixture of authentication ever since the days of the Compatible Time-Sharing System at the Massachusetts Institute of Technology in the early 1960s, subsequent advances in cybersecurity – hashing and salting, most notably – have not completely eliminated all pitfalls of password use:
- A landmark Microsoft study from 2007 found that the typical Web user had 25 accounts but only 6.5 unique passwords to protect them. Since that time, the consumerization of technology and mobile apps – many of which may posses their own login system or use Facebook, Google+ or Twitter – has only made matters more difficult. In 2012, Experian revealed that the average 25-34 year old had 40 accounts online.
- Despite the insistence of websites to create passwords that meet minimum requirements for length and character variance, weak passwords abound. A 2014 SplashData report cited "123456" as the most common credential, having overtaken longstanding champion "password."
- Password-cracking techniques such as offline dictionary attacks have become increasingly efficient. Last year, after Ars Technica gave three experts an encrypted password file with 16,000 entries, one of the individuals successfully revealed 90 percent of them. Even Ars Technica editor and admitted cryptography novice Nate Anderson deciphered 47 percent of the same document.
Still, the sun isn't setting on the password just yet. Alternative authentication mechanisms such as fingerprint and iris scanners, SMS verification codes and security questions have their own flaws, and for now they lag behind password-only systems, even with the emergence of biometrically capable devices such as the iPhone 5S.
Passwords are certainly convenient, not to mention cost-effective because they require no dedicated hardware or elaborate procedures. But in the wake of a recent, Russian-led campaign that may have snatched more than 1 billion credentials from around the Web, it may be time to finally move on to something safer.
Russian hack shows how credentials have become a tradable commodity
A U.S. security firm recently brought to light the possible exposure of 1.2 billion unique usernames and password combinations, as well as 500 million email addresses, from more than 420,000 Web and FTP sites. The most interesting number, however, may be the total number of breached items, which was much higher at around 4.5 billion. The massive disparity in records illustrates just how many credentials were reused across multiple accounts.
Details about the breach, which was months in the making, are scant. There has also been concern from Graham Cluley that some post-incident security efforts may actually be exacerbating the problem. More specifically, consumers can check with the their security firm to see if their information has been compromised, but to do so they have to repeatedly enter their passwords on a Web form, which would seem to violate the principles of keeping passwords unique and secret.
All the same, the theft appears to be the real deal, with researcher Brian Krebs vouching for the integrity of the methods used to discover it and measures its impact. What happens next? The enormous volume of stolen logins and email addresses are likely to become fuel for global botnets that distribute spam through hijacked accounts.
For enterprises, the Russian incident underscores the stakes of ensuring that network security is fortified with strong access controls and password managers. Even a simple oversight like an abandoned account that wasn't properly closed could become a liability and ultimately be turned into a spambot. Takeaways from this breach and others of its kind, such as the ones affecting Target and Adobe last year, include:
- Rising value of of credentials means that attacks should be expected: In 2012, credentials made up 90 percent of the 12 million pieces of illegally harvested data traded by cybercriminals. Credit card data, while difficult to obtain (it often stays safely encrypted even after major heists such as the May 2014 one affecting eBay), remains a prime target .
- Don't place too much trust in Web companies to properly steward information: While end users shoulder some blame for recycling their logins, their data isn't always in safe hands. Web companies may store data in plaintext or use non-ideal hash functions to encrypt credentials.
- Avoid reusing or sharing passwords: This lesson sounds (and is) basic, but it hasn't been learned, as the aforementioned disparity illustrates. Password managers are often relatively easy to set up, but do individuals and organizations need something even more straightforward?
Are wearables, data analytics and two-factor authentication the answer to password pains?
Relying on password-based authentication is going to be risky as long as end users create their own codes and companies have incentive to cut corners for sake of convenience and cost (passwords have both in spades). In recent years, there has been growing momentum for password alternatives centered on smartphones capable of collecting, collating and analyzing user data, theoretically for the end of ensuring that only the rightful owner can access his or her accounts.
Certainly, the myriad sensors in smartphones, such as the fingerprint reader in the iPhone 5S, open new avenues for authentication. Similarly, data collection could be extended by auxiliary devices such as wristbands that monitor cardiac rhythms and then relay the patterns back to a smartphone via Bluetooth for verification. It's much harder to fake a fingerprint or heartbeat than a simple password.
Plenty of work is being done on new authentication standards such as FIDO, and the FIDO alliance is pushing for easy to use biometrics as well as improved password security through two-factor authentication. This is good news since there's room for improvement in mechanisms such as facial recognition (too dependent on lighting) and SMS. Trend Micro researchers recently discovered flaws in the latter approach in their study of banks in Europe and Asia. SMS is a common way to deliver a session token for authenticating identity, but it is used because it is inexpensive, not because it's the most secure one available.
"[B]anks let most of their customers use session tokens with the aid of SMS and leave more secure methods for premium clients only or as an alternative option, possibly due to increased operating costs and ease of use," wrote the researchers.
With better solutions on the horizon, ideally the era of difficult, sometimes unsecured two-factor authentication will soon be over. If the password also goes out of style, that would be boon to consumers and enterprises, but for now each group should be diligent about creating unique logins and using a password manager wherever possible.