Sign up to our newsletter
Recent events have yet again called into question the effectiveness of the password as a security measure and have us asking once more, ‘is this the end for passwords?’ as serious question marks over the safety of our data are raised once again.
Many analysts believe simply that password authentication systems have reached a state of obsolescence. However, the issue remains: despite the vulnerability of password systems, they are still the number one verification method used to validate the identity of users.
Biometrics has been mooted as one option. And it’s a good one. But again, it’s the password’s relative ubiquity which means it’s difficult to unseat as the primary verification method for users. That and cost. Passwords remain a cost-effective security solution.
Nevertheless, it’s important to take time to analyse the issues around password use and the potential for additional or replacement systems. Here we will take a look at which threats specifically target the password as the weak link in the chain:
A significant amount of malware currently in circulation has been developed with the objective of obtaining information from users – mainly passwords for email accounts, social networking and data related to online banking.
These campaigns of deception are primarily intended to obtain user credentials through messages directed to counterfeit sites (usually banks) where the user enters information, which is then stolen.
Sequential attempts at user authentication using alphabetically ordered words stored in large files called dictionaries. The success of the attack is based on two factors: a) the user needs to have used a word in common use as a password and b) that word is included in the dictionary list.
As per dictionary attacks, brute force attacks consist of sequential authentication attempts, except that in this method, combinations of characters of a given length are used. The more characters in a password, the greater the number of possible combinations, resulting in a longer processing time to decrypt the password.
In the last few years there have been more and more attacks targeting legitimate sites which have stored databases of sensitive information from customers or users. Usually, these databases store hashes (string of chars that uniquely identifies files) and not plain text passwords, however if the encryption passwords are weak, the attackers can fairly easily decrypt these strings and access the original passwords.
The threats that undermine the use of passwords are very different, which is why the security measures deployed should also be varied.
Different approaches should be weighed up by those responsible for the management of information in a business. In this sense, it’s necessary to work together to achieve the goal of protecting sensitive information.
From the perspective of the users it is not enough to follow best practice related to passwords (eg. using a password that is long and complex, using different passwords for different services or changing them regularly). You need to use additional measures, such as installing and updating anti-malware solutions that prevent data theft from malicious code (keyloggers) or the use of tools to block the aforementioned attacks.
Where companies offer services that are protected by authentication – particularly those that hold large amounts of sensitive customer data – it’s important to carry out regular security audits to identify and patch any vulnerabilities.
Offering optional extra security measures could make the difference between users feeling secure of vulnerable. Two-factor authentication for example, where in addition to a standard password, a security layer is added through the use of a dynamic password for single use (or OTP – One-Time Password). For example, a verification code that can be sent to the cell phone user.
Also, using updated software in their services or offer alternatives to the users, and the mechanisms of two-factor authentication, where in addition to the traditional password, a security layer is added through the use of a dynamic password for single use or OTP (One-Time Password). This could take the form of a verification code sent to the user’s cellphone, for example.
The password is here to stay for the time being and while the industry has yet to standardize some other form of authentication, we should focus on implementing additional safeguards to prevent the potential loss caused by the threats we’ve reviewed. Whenever we talk about information security, control on its own is not enough.
Author Miguel Ángel Mendoza, ESET