Password security can improve, but the hackers will still get in
Tom Cross, director of security research, Lancope
This year has been marked by an ever-growing list of companies falling victim to stolen passwords.
In June, millions of password hashes were disclosed from LinkedIn, eHarmony and Last.fm. And in July, more than 400,000 usernames and passwords were stolen from Yahoo, while the social networking site Formspring, clothing company Billabong, and gaming site Gamigo all suffered similar breaches.
At the end of 2011, Anonymous released more than 800,000 password hashes, along with personal information and credit card numbers, from Stratfor. There is a search engine of the Stratfor data available online in which companies can input their domain name and obtain a list of every employee who associated their work email address with their Stratfor account, and had their password hash disclosed.
Chances are, most companies will find at least a couple of employees on there. If so, they should ask themselves: Did any of those employees use a password on Stratfor that they also use on the corporate network? If so, have all of those passwords been changed?
It would be nice to imagine that these breaches will result in the universal adoption of two-factor authentication technologies, or at least password vaults, but those changes are not going to happen everywhere for both economic and usability reasons. The fact is that passwords are here to stay, and it is time to get serious about modernizing the approach that corporations take to password security.
We need to abandon passwords in favor of passphrases.
Today's passwords are too short. Two years ago, the Georgia Tech Research Institute argued that any password shorter than 12 characters can be easily cracked with a PC and a graphics processor. Passwords that are longer than 12 characters aren't really passwords anymore – they are passphrases, and we should start using them.
Many of the password rules that systems are enforcing can also be counter productive. Forcing users to include a combination of random capitalizations and special characters, or frequently change their passwords, makes them hard to remember and leads people to use character substitutions that satisfy the requirements, without actually adding security.
The worst password rule I have encountered is short maximum length, which is destined to result in bad security and makes the transition to passphrases impossible. Instead of imposing maximum lengths, we need to set the minimum lengths higher, and encourage users to create passphrases out of randomly chosen, unrelated words.
Enterprises should adopt proactive password cracking.
A recent study by Cambridge University showed that users will adopt bad practices in passphrase environments just like they adopt weak passwords. Examples include using short words or words that often appear next to each other in natural language.
If you want to identify bad passwords and passphrases, and force users to change them, the best way to do that is to do what the attackers are actually doing – set aside some computing resources to proactively crack your own password hash collection, and notify users whose credentials you've successfully cracked.
Security professionals must acknowledge that passwords and passphrases are going to be compromised no matter what we do.
There are an awful lot of username, email address and password-hash combinations circulating in the underground after all of the recent breaches, and these passwords are going to be used to compromise corporate networks.
That means the advanced persistent threat (APT) is already coming into your network bearing legitimate access credentials. Mandiant reported that 100 percent of the attacks they investigated in 2011 utilized stolen credentials, while only 54 percent of compromised machines were infected with malware.
Organizations that are only focused on looking for exploit activity at the network perimeter can't see attacks after they've already gotten in the front door. IT security teams also need visibility into the internal network to detect and mitigate compromises after the walls have been breached.
Most enterprises aren't even performing basic logging of internal network activity. If they discover that a computer has been compromised, they have no way of figuring out what the attacker did next on the network, or which other systems may have been tainted.
However, good internal network visibility enables you to do much more than just investigate known breaches; it can also help detect them. For example, if an account executive from Florida logs in from overseas while he is sitting in the office, you know something is not right.
Without tighter password security and higher levels of awareness over what is going on within our network environments, it will become increasingly impossible to thwart the ever-evolving threats we are facing today.