Rethinking Password Security
If someone asked me when I was a Unix Admin, would I be here in 12 years time pontificating about password security, I would have said no chance, as by then we will have cracked (pun intended) the problem of insecure passwords. I would also have been severely wide of the mark. Even Spielberg was more accurate with his Back to the Future prediction of hoverboards (#Ref 1).
Sadly since then the situation has not changed. As a part time Unix admin in those days for a bet (and with the blessing of the department I might add), I ran John the Ripper on our Unix research cluster password DB to find over 1/3 of passwords discovered within a few seconds and the next 1/3 within minutes. I also won the bet by finding the “super secure” password of a colleague in less than 5 minutes. The most sad part, is that the passwords I found then are exactly the same as those commonly cropping up in the Top 10 lists today
Keyboard Patterns: 123456, password, abc123, 1234567 Dictionary words: password, letmein, god, angel, devil (and number replaced derivations) Personal information: username, name, favorite team, sport
The reason is, easy to remember passwords are easy for a computer to crack. Password security is about entropy aka complexity, the more entropy (length, upper, lower, numeric, symbols), the harder they are to crack. Humans however, need to remember them so they tend to veer towards simplicity, this is shown clearly in the analysis of the recently stolen Linkedin passwords (#Ref 2).
While the speech I gave to the department in question back in the day was one about using non-dictionary words and increasing complexity, this looks like a losing battle against human nature and is not even the greatest problem we face in password security today. Back in 2007, Microsoft Research (#Ref 3) showed that the average user had over 25 accounts that required passwords and only 6.5 passwords, meaning that the average password is shared on 3.9 sites. I would imagine, based on my own experience that these figures would have doubled or even tripled since 2007.
Today, your password, no matter how simple or complex it is, is at the mercy of the organization that stores it or its hash (which with rainbow tables is essentially the same thing). There are many examples of large websites having their database compromised and passwords ending up online. Yahoo! (#Ref 4), Sony (#Ref 5,6), Linkedin (#Ref 7), Last.fm (#Ref 8) are just a few recent disclosures. No need to perform resource intensive password cracking on your super strong password when it is published in plaintext online. Research of two unrelated disclosures of passwords from Sony and Gawker (#Ref 9) shows over two-thirds of the accounts that shared the same email address, used the same password. It is a safe bet that a large number of these also use the same password for their email account and even if they use a stronger, different password for critical sites such as internet banking or Paypal, access to the “less secure” email account allows an attacker to perform a password reset and achieve the same goal. This kind of attack became an obvious reality today when it was announced that an attack has been made on Dropbox. At the time of writing, it appears as though their password database has not been compromised and some email addresses have been released via a stolen document but during the investigation, they uncovered that data gathered from other breaches has been used to access Dropbox users accounts.
To mitigate the risk of password compromise, the best strategy is to avoid all reuse of passwords and make the passwords as strong as possible. As mentioned previously this makes them difficult to remember but the greatest risk here is disclosure over the Internet. So what’s the solution? Write them down. Shock horror! This is the one thing you have been told not to do all along, so why am I advising such a heathen action? The risk of compromise of your accounts over the Internet is significantly greater than someone breaking in to your house and stealing a piece of paper hidden in a secure location. In this case then, the tradeoff between making them unique, complicated and long over writing them down is well worth making. To reduce the risk even further and make the process more manageable, use a secure password manager. Most browsers come with utilities built that can create random, secure passwords and store them securely, synchronizing across multiple systems. This way, you remember a single strong password to access the utility and the browser passes the site credentials securely as and when they are needed. There are also standalone password management utilities that can do this across your desktop and mobile such as the Open Source KeePass http://www.keypass.info utility.
As an enterprise however, you cannot afford to trust that your users are using secure password methodologies and not reusing their corporate password on other external sites so we recommend the enforcement of another factor of authentication security, i.e. something you have (token) as well as something you know (password). The idea is a remote attacker has no way of obtaining the “something you have” even if they can gain access to your password. To help organizations make this transition, Fortinet has integrated two-factor authentication free of charge into the FortiGate range of products to secure SSL and IPSec remote access. This is extended with the range of Physical FortiTokens and FortiAuthenticator, which extends two-factor authentication with mobile and certificate based authentication to third-party systems.