Computerworld

Will tech industry ever fix passwords?

After the recent security breach that hit professional social networking site LinkedIn, social media companies are scrambling to patch over their poor security practices. Wait too long to address known security holes, and CIOs should worry about seeing their companies targeted, hacked and eventually vilified in the press.

The list of major breaches gets longer every day: LinkedIn, eHarmony and Last.fm are just the recent ones. Add to that list the Department of Defense, TJX, Sony, Heartland Payment Systems, Emory Healthcare, Global Payments ... well, you see where this is going.

Damaging data breaches are the norm in 2012, not the exception.

[Related: Three Steps to Avoid Getting Hacked Like Yahoo]

According to the Identity Theft Resource Center, there were 189 known breaches from Jan. 1 of this year through the beginning of June. Those breaches have exposed approximately 13.7 million records.

Why LinkedIn Is Different (and Why It's Not)

The nature of the data involved helps explain why the LinkedIn breach has gotten so much attention. "LinkedIn's data is of much higher quality than other sites," says Paul Kocher, president and chief scientist at Cryptography Research, Inc. (CRI). "There is just so much information about who people really are and what is important to them."

With high-quality information, attackers can launch much more sophisticated and targeted attacks.

But in other respects, the attack isn't out of the norm. "People are shocked by LinkedIn's poor security practices, but this is widespread," Kocher noted. "Plenty of organizations are far worse off than LinkedIn. It's easy to start fixing security when you're motivated by a breach, but until then, many organizations hope for the best."

Passwords: The Root of All Data Breach Evils

A number of recent high-profile attacks (Aurora, RSA, Stuxnet, LinkedIn and attacks on many defense contractors) have been traced to compromised passwords.

"The modus operandi has been similar -- a targeted email containing malware infiltrates a PC and hides its tracks using a rootkit. Later it contacts its command server and downloads a keylogger/screen scraper module, which performs the intended objective: stealing user credentials resulting in the theft of vital data," says George Waller, executive vice president at security firm StrikeForce Technologies.

To make matters worse, in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.

"The concept of having users deploy their passwords to every cloud site is nuts," says Garret Grajek, CTO of SecureAuth Corporation. "It would be a mistake, however, to conclude that this makes the cloud inherently insecure."

The standard method for authenticating users to cloud services is the hardly revolutionary: user names and passwords. We're left with two choices: either improve on what we have, or replace it with something better. There is no real consensus, however, on which path to take.

For instance, when users are told to strengthen their login credentials by crafting strong passwords that are essentially gibberish with random capital letters, numbers and special characters, no one remembers them. Thus, everyone reuses their complex passwords, writes them down, or creates a "passwords" file, which is the first thing hackers look for when they access your device.

Potential password replacements don't offer any magic bullets. Solutions like hard tokens are expensive and hard to administer, and, as the RSA breach proved, they can be cracked too.

Grajek compares the authentication challenge to the AC/DC current battles of the 1880s. When DC was winning, New York City had wires strung so thickly that they almost blocked out the sky. The problem was that DC doesn't travel well, requiring sub-stations every mile and a half.

"The same mistake is true of the distribution of user's passwords at every cloud service," he says.

Every security expert that I talked to made the same point: There is no easy way to fix passwords, but standardization would certainly help us get closer to that goal.

SSO and SAML to the Rescue?

For several years now, the enterprise has been searching for single sign-on (SSO) solutions. Early ones were proprietary and unwieldy, but standards have been emerging, most notably Security Assertion Markup Language, or SAML.

"SSO is a must," says Mike Kail, vice president of IT operations at Netflix. "Once your employees start using Workday, Box and other cloud services, they start littering those services with passwords -- some unique, some not -- and any business is only as secure as its weakest password."

SAML is an XML-based framework that lets service providers exchange security information. That way, a third-party or cloud application doesn't need to store any authenticating information from your organization. Instead, SAML will deliver your users' credentials (typically from Active Directory or LDAP) to the service provider, which won't need to maintain those credentials.

Through SAML, your organization can deliver information about user identities and access privileges to a cloud provider in a safe, secure and standardized way.

The only trouble is that SAML is a B2B solution, and it's not currently set up so that it can be easily extended to consumers. This is important because if a new social network comes along that your business hasn't authorized, your employees will still set up their own credentials with that service provider. Hackers will still be able to glean valuable information from other sites in order to socially engineer attacks. If your employees have reused a strong password elsewhere, hackers may even be able to use that to penetrate your organization.

We Need Identity Brokers

Still, once SAML is standardized, authentication will be much more secure than the status quo. And standardization is pretty much a foregone conclusion. Plenty of service providers already use pre-standardized versions of SAML, and such heavy hitters as Salesforce.com, Cisco and Google all back it.

Standards like SAML will enable new services to design authentication schemes with these new mechanisms in mind. Already, plenty of B2B cloud authentication service providers handle SSO as a service for everything from on-premises applications to cloud and even mobile ones. These providers then act as identity providers (IdPs). The list of vendors is long, and each has a different approach, including Okta, PhoneFactor, Ping, SecureAuth and Symplified. And it's not just startups in this game, with CA, HP, Juniper, RSA and other major security players involved as well.

To handle its sprawling identity challenge, Netflix turned to OneLogin, which provides cloud-based SSO services. OneLogin ties into Netflix's Active Directory, so its employees no longer have to worry about multiple passwords for multiple services.

"Most passwords are stolen through phishing attacks, but if you no longer have to enter a password, you can't be tricked by a fake login page," Kail says.

For consumers, there are already two SSO options that are gaining traction: Google and Facebook. However, neither company is known for its rock-solid security practices. The consumer-facing SSO systems are based on a kind of SAML lite, called OpenID. A recent Microsoft-sponsored study (PDF available here) found that consumer-facing SSO is more about convenience than security. (Note: take this research with a grain of salt, since Facebook and Google are two of Microsoft's main rivals.)

An SSO login creates a virtual handshake between the website a user wants to access and the IdP, i.e. Google or Facebook. Basically, the new site will ask for the verification of user credentials, and the IdP will in essence give a "yes" or "no." But in streamlining things down to a binary decision, there is plenty of room for error.

One of the holes the report identified saw OpenID allow for shortcuts in many identity enforcement sessions. If the site asked to confirm the first name, last name, email address and ZIP code, OpenID might not verify each piece of information. For instance, the researchers accessed the request, deleted a key piece of requested information (such as an email address) as the request went to the OpenID-based service and then re-entered it in the signed "okay" from OpenID. This is clearly a huge hole. The hacker who doesn't have access to your email address (which may be alerted if you're signing on with an unrecognized device) is now able to bypass that safeguard.

Moreover, the researchers were able to use Facebook's authentication system to hijack users' accounts on the social network. Reportedly, all of these holes have been fixed since the report came out, but the research does shine a light on the security sacrifices made for the sake of convenience.

That's not to say that consumer-facing SSO is a pipedream. It's not. Even the flawed OpenID-based SSO mechanisms are better than the status quo of entering passwords for every site a user accesses on the Web. Rather, the point is that there's a lot of work to be done before we can consider this problem more or less solved.

Fixing Passwords, What You Can Do Now

In the meantime, as we all wait for better authentication mechanisms to become standardized, there are plenty of things you can do to boost your security, but you have to make an effort.

"Nearly every device already has strong authentication features. It's just up to their users to use them," says Taher Elgamal, chief security advisor for business software provider Axway and one of the inventors of SSL. "Laptops have had hardware cryptography for years, but nobody uses it. New mobile phones have some innovative authentication features, but there is currently no standard interface between Web servers and the authentication features."

There are also easy steps that service providers and employers can take. As any security professional will tell you, your house doesn't have to be 100 percent impenetrable. That's an unrealistic goal. But if it's more secure than your neighbors' houses, you'll have a much lower risk of a break-in.

5 Things Consumers Should Do to Strengthen Passwords

Never share passwords with anyone, not even your spouse. Even if you trust the person completely, do you trust that they'll never be lured by a spear phishing attack that may have you as the actual target?

Don't reuse passwords, and rely only on strong passwords, meaning long passwords with numbers, capital letters and special characters. You can either develop mnemonic tricks to remember these, or use password management tools like 1Password or LastPass.

Turn on enhanced authentication and security when it's available. For instance, Facebook, Google and others offer enhanced security features, such as SMS notifications if an unknown device attempts to access your account.

Use tools you already have, such as time-outs and screen locks on mobile phones.

Pay attention to your social interactions. Be careful not to broadcast your date of birth, anniversary, name of your high school or other identifying factors that could allow hackers to pass through challenge questions.

5 Things Businesses Should Do to Strengthen Authentication

Have strong protections in place for any user credentials. At a minimum, passwords should be hashed (converted from plain text) and the databases encrypted. Better still, "salt" passwords by adding random strings before storing them.

Require that users create strong, long passwords.

Offer enhanced account protections, such as SMS warnings when a user's account is accessed from a suspect IP address or unknown device.

Embrace multifactor authentication. If it is not a compulsory mechanism, at least start rolling it out in stages, starting with your most sensitive applications and highest-risk end users.

Conduct regular audits and security reviews.

10 Steps to Clean up after a Breach

The steps below come from a senior executive at a Fortune 100 financial institution, who prefers to remain anonymous. CIO.com asked him what he would do if he were asked to clean up after a LinkedIn-scale breach.

Keep in mind that the financial industry has many more regulations in place than most sectors, but his advice applies broadly.

Realize that it's important to understand the breach in detail. The goal is to figure out exactly why it happened and how to prevent it, not to assign blame.

Interview all stakeholders (network, security, system and business) to understand the root causes better.

Fix the problem, obviously, but move beyond tactical decisions to form a strategic security plan for the future.

Communicate the situation clearly to end users. Then, develop a plan for ongoing training.

Embrace stronger credential storage and encryption practices, including migration to SHA-512 with salting.

Migrate to multi-factor authentication for B2B applications and internal users.

For consumer-facing applications and guests or partners, consider offering enhanced account protections, such as notifying consumers if their account has been accessed from an unusual IP address or an unknown device.

Review and build better network zoning, including upgraded firewalls, IPSs, routers, etc.

Enhance the software development lifecycle. This includes practices like periodic internal and external audits and security reviews, as well as ongoing monitoring and detection of unusual patterns.

Share your experiences and help standards bodies develop standards for authentication, identity enforcement, digital signatures and so on.

Jeff Vance is a Los Angeles-based freelance writer who focuses on next-generation technology trends. Follow him on Twitter @ JWVance.