Our Terrible, Horrible, No Good, Very Bad Password System
It has been a heck of a year for password/password hash disclosures. In the same week in June, millions of password hashes were disclosed from LinkedIn, eHarmony and Last.fm. And in the same week in July, more than 450,000 usernames and unencrypted passwords were reportedly stolen from Yahoo Voice, while 420,000 password hashes were leaked as a result of an attack on the social networking site, Formspring. These events have drawn a lot of attention to the issue of password security.
One particularly interesting breach occurred right at the end of 2011. Anonymous released over 800,000 password hashes along with personal information and credit card numbers from Stratfor. Stratfor writes popular analyses of current geopolitical events, and most large companies have a few employees who have created accounts with them.
There is a search engine of the Stratfor data available online in which you can input your company's domain name and obtain a list of employees who associated their work email address with their Stratfor account and subsequently had their password hash disclosed. Two questions immediately come to mind when you see these search results: Did any of those employees use a password on Stratfor that they also use on their corporate network? If so, have all of those passwords been changed?
I have no doubt that we will see more password compromises in the future. Passwords are the oldest security control that we have, and they are probably the least understood. It would be nice to imagine that these breaches will result in the universal adoption of two-factor authentication technologies, or at least password vaults, but those changes are not going to happen everywhere for both economic and usability reasons. The fact is that passwords are here to stay, and it is time to get serious about modernizing the approach that corporations take to password security.
We need to abandon passwords in favor of passphrases.
Today's passwords are too short. Two years ago, the Georgia Tech Research Institute argued that any password shorter than 12 characters was easily broken with a PC and a graphics processor. Passwords that are longer than 12 characters aren't really passwords anymore -- they are passphrases, and we should start calling them that so users understand what they should be doing to protect themselves.
Many of the password rules that systems are enforcing can also be counterproductive. Forcing users to include a combination of random capitalizations and special characters makes passwords hard to remember, which leads people to adopt common character substitutions that satisfy the requirements without adding security.
Password expiration has the same effect, prompting users to adopt poor practices such as regularly incrementing a number at the end of their password. The worst password rule that I have ever encountered is maximum length. Enforcing a short maximum password length is destined to result in bad security consequences. It also makes the transition to passphrases impossible.
We need to get rid of almost all of the password rules that we enforce today except for one -- minimum length. We need to set the minimum lengths higher, and encourage users to create passphrases instead of passwords. Combinations of four or more randomly chosen, unrelated English words are often much more secure than short passwords and much easier to remember, as long as they aren't full of random character substitutions.
Enterprises should adopt proactive password cracking.
Even some long passphrases are easy to crack if the sequence of words that the user has chosen is common in natural language. If you want to identify passwords that are likely to be compromised and force users to change them, the best way to do that is to do what the attackers are actually doing -- set aside some computing resources to proactively crack your own password hash collection, and notify users whose passwords you've successfully cracked.
This strategy helps ensure that insecure passwords are not being used, while simultaneously teaching users to adopt good behaviors that are resilient to attack.
Security professionals must acknowledge that passwords and passphrases are weak, and they are going to be compromised no matter what we do.
There are an awful lot of username, email address and password hash combinations circulating in the underground after all of the recent breaches discussed above, and we have every reason to believe that we are going to see similar compromises in the future. These passwords are going to be used to compromise corporate networks.
The Advanced Persistent Threat (APT) is already coming into your network bearing legitimate access credentials. 100 percent of the attacks Mandiant investigated in 2011 utilized stolen credentials during the intrusion. Conversely, only 54 percent of compromised machines were infected with malware.
The question that we need to be asking is how do we detect attackers who log into our networks with legitimate credentials? Organizations that are only focused on looking for exploit activity at the network perimeter can't see attacks after they've already gotten in the front door. IT security teams also need visibility into authorized traffic on the internal network that enables them to detect and mitigate compromises after the walls have been breached.
Most enterprises aren't even performing basic logging of internal network activity. If they discover that a computer has been compromised, they have no way of figuring out what the attacker did next on the local network, or which other systems may have been tainted. However, good internal network visibility enables you to do much more than just investigate known breaches. It can also help detect them.
An analogy to credit card fraud is helpful here. Banks keep a profile of typical spending behavior for each customer, and when they see purchases that are far outside of that profile, they contact the customer.
The same principles can be applied to the network. The transactions crossing computer networks are far more complex than the kinds of transactions that a credit card sees, but patterns of behavior still exist. When an account executive from Florida logs in from overseas while he is sitting in the office, something is not right. If he starts checking software out of your source code repository, something is really not right!
In addition to being smarter about passwords, organizations must start to investigate next-generation technologies that can provide visibility into the internal network. Without higher levels of awareness and control over what is going on within our own environments, it will become increasingly impossible to thwart the ever-evolving threats we face today on the Internet.