Relying on usernames and passwords to authenticate user identity is irresponsible.
The first computer password was developed in MIT in the early 60s. It was simple, easily stored and, in comparison to today, used rarely. But fast forward five decades of technological advancement and, while the digital world has evolved immensely, the humble password remains largely unchanged. The global proliferation of data and the sheer amount of information we have to keep safe simply cannot be protected by passwords alone anymore.
Emails and passwords are stolen on a daily basis, Yahoo alone is the source of three billion compromised passwords. So why would we use something to protect us and our businesses that has almost certainly already been stolen and being used by hackers.
Confessions of a password tweaker
Passwords are inherently flawed because of the way humans use them. People use the same passwords for different sites and attackers will use stolen username/password combinations to gain access to those other sites. But even if a password is “tweaked” to be different each time, it can be fairly quickly cracked. Even I have to admit I’ve been a password tweaker in the past.
Stolen passwords give attackers starting points and password tweaking gives them predictable sequences to try out when cracking newly stolen password hashes. When an old password is leaked it’s added to a growing database of rainbow tables containing guessed hashes. In this way attackers can immediately crack it if they ever see it in future stolen data sets. What’s more, attackers know that people regularly tweak old passwords to make new ones.
The next step is to generate rainbow tables of permutations on previously cracked passwords that people are likely to use. Once they get hold of more hashed passwords from a new breach, they are seconds away from cracking any variations of that old password. Using ‘fuzzers’ these passwords can be tweaked to alter the case of the character, replace numbers for letters and add special characters and numbers at the end – all common techniques people use to make their password “stronger”.
A password is effectively a shared secret crypto key. Instead of using the key to encrypt messages, it’s used to prove you are who you say you are. The old rule was “never use a predicable sequence as your key”. A well-known or popular phrase means someone else might also use it for their password too, increasing the odds of your password showing up in an attacker’s rainbow table.
Throw human nature into the mix and suddenly predicting password tweaks becomes extremely easy. Knowing that people tweak old passwords and the massive time savings involved, it’s well worth the effort to pre-run permutations of previously cracked passwords into new rainbow tables.
If one of your tweaked passwords is lost or stolen, you should throw all versions of it away. Hackers know that people tweak passwords so will apply these techniques to previously uncracked password lists, usually to great effect.
Passwords are an old fashioned, out-dated and inappropriate method of enterprise security. The number of data breaches stemming from weak or stolen passwords has jumped in the last three years from 63 percent to 81 percent.
Relying on usernames and passwords to authenticate user identity is irresponsible. However, even two-factor authentication isn’t enough. Enterprise security can no longer be a static process, this is why we need to go passwordless.
Adaptive authentication combines identity based threat detection with layered access control methods such as IP address look-up, device recognition, geo-location analysis, and biometrics. These techniques simultaneously strengthen security and work invisibly to the user. This approach effectively thwarts attackers and renders stolen credentials useless. Adding layers to security and using our identity to protect us is key. The password has been a part of our lives for decades, now is the time to retire them.
Contributed by David Ross, VP of research at SecureAuth
This article originally appeared at scmagazineuk.com