Tuesday, March 4, 2014

A Password is Not Enough

Top Secret
10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Fast forward to 1962. MIT’s Compatible Time-Sharing System (an early multi-user computer) was one of the first computers to use passwords as a means of keeping users’ personal files separate. A Ph.D. researcher had been allotted a certain amount of time each week on the CTSS, but it wasn’t enough time to run the full simulations he had designed. Rather than suffer the atrocity of abiding by the rules, he found a way to print a copy of the password database so he could use other users’ time allotments. Thus occurred the first documented case of account compromise through password theft.

Limitations in password security

The first half of this is a fictitious account (the MIT CTSS story actually happened), but the moral is the basis for this post. Passwords (or even passphrases) allow for some degree of protection, but they can be compromised. Think about it: for your password to be useful, the computer or web site you are logging into must recognize the password – in other words, the password (or preferably a hash of the password) has to be stored somewhere. If this password database is stolen, depending on how the passwords or hashes are stored, it may be possible for the attacker to recover the original password of some or all the users. Owners of some 300 million accounts at Adobe, MacRumors, LivingSocial, LinkedIn, and Sony (Playstation), just to name a few recent examples, discovered this the hard way.

Passwords are also frequently-used - which means there are many opportunities for a password to be captured during use. How often do you use your password? How often do you log in to a computer or email account or web site? Each login event is an opportunity for your password to be stolen – by someone looking over your shoulder, by a keylogger device or app, by someone that intercepts your network conversation, by a malicious wireless access point. Industry best practices demand that your browser have a secured (encrypted) channel to the web site before you log in; this helps but still there are many opportunities for a password to be lifted.

Weak passwords and re-used passwords are another limitation. How many passwords do you have? How many accounts do you have? Do you remember every password? Do you use the same password everywhere? Re-used passwords mean that if one site is compromised, the attacker can now log into other accounts. Passwords on sticky notes under the keyboard or on the monitor are a long-standing joke in the security industry, but are absolutely true. I could walk through just about any business in the country and log on to the network using a password written down on someone's desk.

Passwords and passphrases are a hurdle an attacker must overcome, but they can be overcome. Using strong passwords (mixing upper and lowercase characters with numbers and symbols, and using a long phrase instead of a short dictionary word) helps. Using different passwords for each account helps too (and to that end, a password manager such as LastPass or KeePass is an invaluable tool for keeping track of the individual passwords for each web site and account). WhoIsHostingThis.com posted an easy-to-follow infographic that highlights some simple steps to making a password hard to break.

If passwords are not enough, then what?

Security professionals define identity and access in terms of identification and authentication. Identification is the act of claiming to be someone, while authentication is the act of proving that the identification is true. I can say I am David Longenecker, but how do you know I am not am impostor? Authentication is the proof.

Authentication generally falls into three forms. It can be something you know, such as a password or passphrase, or some other piece of knowledge you would not expect anyone else to know. Your mother’s maiden name is probably not a good secret because that can be obtained relatively easily. So too might the last 4 digits of a credit card, or your cat’s name. A second form is something you have. The classic example is a house key, but passports and driver’s licenses are also good examples. In computing, RSA tokens are a common example: you might have a small keyfob that displays a seemingly random sequence of numbers that changes every minute or so; possession of that token is a form of authentication. The final form is something you are. This is a growing area in the consumer world (Apple’s iPhone 5s shook things up by introducing a fingerprint reader, and some laptop manufacturers have used finger swipe readers for several years). Disney World and Sea World have used hand geometry for quite a while. In some high-security military and government environments, retina scans, palm prints, or voice pattern recognition are used to authenticate the user. The television show CSI turned epithelial DNA analysis into a household term; this is nothing more than authenticating a suspected criminal or victim through a biological characteristic, i.e. something you are.

Individually, any of these factors can be compromised. Your password might be stolen. Your RSA token or building access card might be stolen, or your door key or driver’s license copied. Biological authentication is a little harder to compromise, but it can be done (remember the MacGyver episode where he broke into a locked safe using a wax impression of the antagonist’s thumb print?) However, combining factors makes things exponentially harder on an attacker.

What does that mean in the real world?

A large and growing number of online services offer various types of two-factor authentication. As I have written before, much of life is an exercise in managing risk. Part of managing risk in the online world is deciding which services warrant some extra security and which really are not worth the extra effort (because truth be told, 2FA does add a little extra effort). For those that are worth the effort, check to see what the service offers.

Below are a few common examples. note that with most of these examples, you can set a device to be trusted. On a trusted device you can login without the second step (because presumably, you are in possession of the trusted device). Keep in mind that it is a two-edged sword: if your smartphone is a trusted device, and is lost or stolen, whomever has that device can access your accounts using only the password. That doesn't make trusted devices a bad thing, but you do need to keep that in mind when deciding what devices to make trusted for what services.

  • Google / Gmail - Google calls their 2FA 2-Step Verification. Each time you login and enter your password, Google will send a code to your phone via text, voice call, or the Google Authenticator mobile app. That code is usable only once, and for a limited period of time.
  • Yahoo! Mail - Yahoo Second sign-in verification is a poor substitute for 2FA, but is better than nothing ... if it is available. It is completely absent if you were at one time an AT&T customer and chose to merge your Yahoo! and AT&T accounts. Where it does work, second sign-in allows use of security questions, which defeats the purpose of two-factor authentication (two "something you knows" are NOT the same as something you know plus something you have).
  • Microsoft (Hotmail / Outlook / Live) - Microsoft two-step verification prompts you to enter a 7-digit code if you log in from a non-trusted device; that code can be texted to a phone in your profile.
  • Apple - Apple's two-step verification sends a 4-digit code to a "trusted device" (such as a smartphone you have set up as trusted) any time your Apple ID account is logged in from a new device.
  • Facebook - Login Approvals is Facebook's approach to 2FA. Facebook gives you the option of either having a code sent via text message, or using the Facebook App installed on your smartphone. I'll offer a caveat to the latter option though - versions of the Facebook app beginning with 6.0.0.28.28 now require the permission "Read your text messages (SMS or MMS)." Facebook uses this to read the 2FA code sent to your phone, eliminating the extra step for you, but to me this is Facebook extending their reach a little too far.
  • Twitter - Twitter was an early adopter of two-factor authentication, after several high-profile incidents where well-known Twitter handles were hijacked. With login verification, a 6-digit code is sent via text message to your registered phone any time you login from a new location. Login verification may have prevented the theft of a very desirable 1-character handle last month (though compromise of another account led to an extortion plot that resulted in the owner giving up the Twitter handle anyway - read the strange tale here).
  • LinkedIn - Two-Step Verification sends a code to your phone via text message when logging into your LinkedIn account from a new or unrecognized device.
  • Amazon - Multi-Factor Authentication on Amazon is limited to web services (site hosting, cloud computing, data storage) and not to the retail purchase site. That's disappointing since the purchasing account likely has physical addresses and possibly stored credit cards (which I recommend against), as well as the electronic proof of any digital purchases such as apps, movies, and music. Where Amazon excels though is in supporting the second factor as either a smartphone or computer (via text message or email code), or a physically dedicated keyfob device.
  • Financial institutions - Sadly, many banks are grossly misleading in what they call multi-factor authentication. Security questions in addition to a password are NOT a second security factor - they are still something you know. Check with your bank to find out what specifically they offer; based on public records, I could find only two US banks that offer true 2FA: Bank of America and USAA. If you are eligible for USAA membership, they are light years ahead of any other bank I am aware of in terms of account security.
  • LastPass - Lastpass offers Multifactor Authentication by way of a variety of third-party smartphone apps.




(+) Incidentally, Dr. Scherr’s story is a bit more interesting than that. His passphrase theft was a secondary event: he is also the first documented computer hacker. In his words from IEEE's 50th Anniversary Commemoration report of the CTSS, since his performance simulations involved modelling the CTSS itself, he had access to the scheduling system at the core of CTSS. He discovered how time usage for each user was stored in memory, and from there came up with a way to reset his use to zero each time it approached his allocated limit. This served him well for a couple of years, until some time after this particular project completed and the system administrators needed the storage space allocated to his project (which meant losing the ability to manipulate the system).

2014-03-07 update: thanks to two readers for pointing out that Charles Schwab and First Tech Federal Credit Union also have genuine multifactor authentication available.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen