itb-au logo
Story image

Passwords: They're as useless as the 'g' in lasagna

24 Apr 2018

Since the dawn of the digital age, passwords have been the number one way to authenticate users into computer systems. Early on, when people referred to security, what they were really referring to was a password database that simply stored a user’s recorded password and compared it to what the user submitted when they logged in. Did they match? Great, you’re in.

Fast forward to today and passwords still haven’t gone away, albeit with a few enhancements. Using mathematics, the password is scrambled. It might be “salted” (mixed with randomness). It is likely “hashed” (fingerprinted as a unique numerical value).

To the user, it’s still just a password. And users need dozens of them. Worse still, passwords must be complicated. Users aren’t allowed to write them down or use the same one repeatedly, and many systems require that the user change their password every few months. Couple that with users needing them for both work-related and personal uses and the strain of passwords is self-evident.

Remembering passwords isn’t even the biggest issue. They’re also terrible security. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of hacking-related breaches leveraged either stolen or weak passwords. The 2018 DBIR report was even more succinct, describing passwords as being ‘as useless as the “g” in lasagna’.

Sceptical? Then let’s have a quick look at what a hacker might need to steal your password (other than simply tricking you into giving it to them). The hacker might listen to your traffic on your network. The hacker might find a slip of paper where you’ve written it down. The hacker might trick you into installing bad files, such as malware, onto your computer. Or they might simply write their own computer program to automatically “guess” all possible password combinations. That’s called brute-forcing and is relatively easy to do with modern-day PCs.

The 2013 Twitter breach is one of many high profile examples of this happening in the real world. Hackers may have, according to Twitter, had access to user information – including usernames, email addresses, session tokens and encrypted/salted versions of passwords – for a quarter of a million users.

Another high profile incident involved Facebook founder Mark Zuckerberg. Zuckerberg’s Twitter, and Pinterest accounts were hacked in 2016, with a group called OurMine Team claiming responsibility. His accounts were compromised because he re-used the password “dadada”. Six characters, all lowercase. If anyone should know better, it’s Zuckerberg.

This example is instructive for a number of reasons. It’s not enough that an organisation needs to worry about getting breached themselves. They also need to be concerned about other services that they may or may not have a relationship with. Security can be thought of as an ecosystem, or better yet, a stack of dominos. When one falls, several others fall too.

So what’s the solution to securing access if passwords aren’t the answer? The first step is for enterprises to use the data they already have on their users. Today, IT managers know who their users are, where they are, the device or devices they’re using and more. Collating this information, IT managers can monitor a user’s behaviour to build a profile of what’s normal activity and what’s not.

Take for example a CFO wanting to read profit and loss reports. They might do it in the office, at home or even in transit. IT knows this about the CFO and can confidently grant access. But if the same request came from a low-level employee, accessing the data at an odd hour from an unknown device, then the access attempt should be flagged and access blocked.

These identity insights are even more powerful when combined with technologies providing visibility into other risk factors, such as malware, ransomware and unpatched software. Again, machine learning and analytics can identify potential malware, and network forensics can flag suspicious traffic from a particular device.

By co-ordinating a response and using a list of devices and users that are being investigated as being potentially compromised, the access management team can adapt their log-in controls. They can block access to a suspicious resource or ask for more proof that a user is who they say they are. This could take the form of something hard to attack, like a biometric.

The final step is to understand the business context. An example of this is identifying whether an application is a gateway to other resources within the organisation. If an attacker gains access to a web server (or an Internet of Things device), could that give them a pathway to more sensitive data? Business context also means knowing what data is valuable, and what is not.

To tap an earlier example, if there’s a threat pathway to gain access to sensitive profit and loss statements, then that requires an immediate response. But if it’s merely giving access to an intern’s resume, then it doesn’t require such a high level reaction.

By taking these steps, an organisation can secure itself against attacks without putting onerous password requirements onto its users or needing to have constant (and fallible) human intervention into access attempts. Today’s systems are too complex, too spread out and without the traditional borders such as firewalls that used to keep organisations safe. Using machine learning and automation, access can be simplified for users, while protecting organisations and their crown jewel data assets.

Article by RSA senior security architect APJ, Craig Dore.

Story image
VMware launches application consolidation platform for enterprise
VMware says its vSphere 7 delivers services for the modern hybrid cloud, powering the compute environments for modern applications, AI and machine learning, and business-critical applications.More
Story image
Do not wait: Look at your IoT devices now
As millions of people become confined to their homes, the security of Internet of Things devices has never been so important.More
Story image
Survey reveals Australians' appetite for remote working
The survey quizzed 1,000 office-working Australians, as well as participants in France, Germany, Italy and the UK, and was completed between 23 and 26 March.More
Story image
Interview: Barracuda decision-makers discuss public cloud security
Last month, Barracuda released a report outlining the security barriers organisations must overcome to adopt the public cloud, as studies reveal that security was the top concern for such organisations.More
Story image
Acronis appoints new APAC General Manager and launches Partners Programme
One of Morarji’s first objectives has been to launch the new Acronis Partner Programmes in APAC, in which the Acronis team will help channel partners and managed service providers (MSPs) expand their portfolios and deliver fast ROI.More
Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More