The most common passwords are no secret: 123456. 123456789. 1234. Neither are the unsecured places where users “hide” them. On Post-it notes under a keyboard. In a three-ring binder. In a notes file on a smartphone.
But even security pros who keep their passwords complicated and don't store them in an unencrypted Excel document aren't completely safe. Hackers don't discriminate. And, if the headlines are to be believed, they're winning the password war.
A Russian group compiled a database of more than four billion credentials. A South Korean data breach impacted more than 200 million citizens. Millions of eBay users' credentials were put up for sale online.
Not that it's much of a war – although the spoils are significant – because passwords just don't cut it anymore. Think David up against Goliath, but without a slingshot in sight. When you're a hacker and the first line of defense is the conventional username/password combo, the odds are almost always in your favor. Still, organizations rely on them – and that makes it harder for IT security pros to keep their enterprises protected. One breach, or one intruder gaining access, can result in job loss and questioning of a security staffer's qualifications. CISOs have notoriously short life spans with one company, says Rick Doten, CISO at DMI, a provider of mobile solutions and service. “Mature companies learn from every incident, and constantly improve their posture. Other ‘not enlightened' companies just expect all the technology to work, and think the security team didn't buy the right stuff, or enough stuff to do the job. It's never a technology issue.”
Yes, changing user passwords every six weeks or so does mitigate some risk, but this strategy often makes the process too complex and employees won't use them simply because they cannot remember a string of random characters and letters. But, most organizations typically don't bother to make regular changes. In fact, a study by Los Angeles-based Lieberman Software found that only 53 percent of organizations update their account service and process account passwords on a quarterly basis.
“If passwords only get updated on a monthly or quarterly basis, think about the damage a cybercriminal can do in that time,” says Philip Lieberman, president of Lieberman Software, which provides privilege management solutions. “[It can provide] one to three months of unlimited access into an organization's critical systems.”
Randy Barr, vice president and chief security and information office at Saba, a San Francisco-area-based next-generation cloud solutions provider, looks at passwords as he does his toothbrush. “Use it often, and do not share.” Plus, change it frequently.
But, of course, there are always those employees who ask to be exempted from password changes – so maybe password rotations aren't the ultimate solution.
It might be time – actually past time – for the security community to start seriously weighing alternatives to passwords. Luckily, there are many...though choosing the right one for an organization takes careful planning and consideration of a host of factors, including organizational needs, solution complexity, implementation and budget.
The classic IT security conundrum – convenience versus security – inevitably pops up when considering any password alternative.
Security firms and security units within enterprises are getting behind two-factor authentication or, in other words, the idea that system access should require an extra step beyond a basic login. As a result, attackers would need to expend more effort and time to get to an enterprise's goods. And, that's a serious attack deterrent.
Don't wait
Hackers are more likely to direct their efforts at enterprises that don't use two-factor authentication, according to Daniel Palacio, founder of Authy, a San Francisco-based provider of authentication platforms. “If you wait to adapt security protocols, that's when the hacker will come for you,” he says. “You're a target.”
Saba's Barr also sees two-factor authentication as a worthwhile investment to use whenever possible. “The [solutions] I like the most are the ones that are one-time passwords to secure a device,” he says. “A passcode is sent to my phone and I have to enter my password.”
When companies must take additional security steps, BYOD, typically the bane of enterprise security, can actually be used to construct better safeguards.With cameras attached, equipped with microphones, sporting GPS capabilities and nearly ubiquitous, phones naturally lend themselves to enhance security efforts.
“Phones are little mini-computers that we carry along with us,” says Jonathan Klein, president and chief legal officer at MicroStrategy, a Washington, D.C. area-based provider of business intelligence, mobile software and cloud-based services. “Many things become possible that aren't available in the physical world.”
Using a phone for security is “taking advantage of something people have with them,” says Klein. “Take advantage of the networks these telephone companies have made. Your customers and employees are already leveraging that.”
They most certainly can be used for authentication, sending users text messages to verify their logins. But, while Google and other large companies already have implemented this strategy, it might not be the most practical or holistic solution for general enterprise security, serving only as part of the final security strategy.
Klein posits that phones could be used as a smarter password tool, leveraging a phone's clock and GPS to set certain hours and locations as authorization restrictions. Likewise, through GPS and tracking functions the phone could determine by the length of a user's gait or walking pace whether a legitimate user is authenticating a login.
Exploring the biometric frontier
Today's smartphones are complex devices that not only provide typical functions, such as texting, but also open a newer frontier: biometrics.
These new tools are beginning to gain traction among larger enterprises, and even among individual users with apps, like Touch ID for iPhones.
When considering biometric solutions as an option for two-factor authentication, experts point out that security professionals should consider accuracy, as not all solutions have the same false acceptance rate. Iris scans, for instance, are incredibly accurate, immediately after direct DNA samples. One study by the National Institue of Standards & Technology (NIST) found them to be accurate 90 to 99 percent of the time. Simultaneously, though, iris scans require a custom scanning device that can be expensive and require some training.
Alternatively, voice verification again returns to the idea of using a device that end-users already carry. Cell phones provide the verification. Because users already feel comfortable talking into a phone, voice recognition is a natural security option. A voice imprint is created through the specific structure of users' larynx, nasal path and mouth, says Mike Goldgof, vice president of marketing at Agnitio, a voice biometrics technology company with headquarters in Madrid. “Undetectable details go into the creation of a person's voice.”
The voice print, created through a user's phone, picks up on users' specific voice marks after they repeat their chosen passphrase into their device multiple times.
For all its intricacies, though, voice recognition software isn't always accurate. Some anti-spoofing methods come with most solutions, such as speaker detection, but that doesn't guarantee safety. If an attacker wants to fake a person's voice, for example, they might record the legitimate user saying their passphrase and then try to replay it aloud through a speaker. The anti-spoofing software can detect phonies by listening for acoustic characteristics that indicate a loudspeaker. The same goes for impersonators who try to imitate voices.
Moving beyond BYOD solutions, iris scanning solutions are viable for enterprises with extra cash to spend. Recent technology relies on video footage that converts users' irises into unique codes. Anthony Antolino, CMO at EyeLock, a New York-based company that offers iris-based identity authentication technology solutions, sees iris scanning as a chance to cut back on the costs that IT desks face with resetting passwords and dealing with users forgetting their logins. Irises are always there, of course.
To protect against possible attacks, Antolino's company also builds in strategies to ensure attackers don't use video footage of authorized users' irises to access an enterprise's system. Although he wouldn't give away all his trade secrets, he provided one example: Irises react to light in different ways and inherently prove whether a real person is attempting to use the scanner. For instance, when a light turns on, an iris gets larger and vice versa. A recorded video wouldn't respond to a scanner in the biologically correct way.
As hackers have continuously proven, however, no security strategy is completely safe from attack. Attackers successfully bypassed two-factor authentication systems at banks in Austria, Japan, Sweden and Switzerland earlier this year. And all they used was a simple phishing campaign, according to a Trend Micro report.
“As long as hackers have compromised the communication channel, the transaction will then be at risk,” says John Zurawski, vice president at Authentify, a Chicago-based provider of automated authentication services. If the main line of communication is breached, a password can't save the user, so part of prevention often relies on encryption, especially when biometrics aren't an option. If an attacker is going to breach a system, at least the data is secure.
The other alternatives
Other experts point out deficiencies in some of these strategies. Users are wary of biometrics to secure their financial accounts, says Niko Kluyver, director at the Caribbean Credit Bureau, which operates in the Dutch Caribbean as part of a group of consumer credit bureaus that enables sharing of consumer credit details between member organizations. So other than getting out of cyberspace entirely, the only other option, he says, is building a comprehensive strategy that addresses both prevention and proactive defenses.
To that end, Kluyver hires friendly hackers to attack his system and report back potential vulnerabilities. He also limits which IP addresses can attempt to access the group's systems and then uses time-outs on password attempts.
Although Kluyver approaches security in multiple ways, he emphasizes that all security professionals should look at their security needs rather than a general program. A program should be adjusted to an enterprise's requirements, not the other way around.
Versatility, too, is essential. Committing to a single methodology doesn't lend itself to the inevitable changes that come as technology advances. For instance, a solution should be able to integrate with others to allow for changes in security goals and targets.
Whatever route an enterprise decides to take, and even before nailing down specific solutions, security professionals should adopt a risk management strategy.
Dmitry Bestuzhev (left), head of the global research and analysis team, Latin America, for Kaspersky Lab, recommends measuring the cost of what is being protected and then deciding on whether only software should be used to mitigate risk. For example, a computer system that stores essential and important data should have extra protection. Software, encryption and patch management systems should be used, Bestuzhev says.
Hackers will attack whatever will garner them the most revenue or make the biggest impact. For now, although passwords might not be the best defense, they're here to stay, at least for a little while.
Enterprises that haven't yet adapted two-factor authentication or other solutions can still amplify their passwords to decrease the risk of attacks. The consensus from experts: Use long passphrases, as opposed to a jumble of letters and numbers. Stay educated on alternatives to reduce break-ins and keep users updated on what's happening in the digital realm.
And remember, the war hasn't been won just yet.
