Halkyn Security Blog
Specialist Security & Risk Management Consultants

Security – Are passwords dead?

Passwords - an essential part of security, but often the target for attackers and the cause of a breach.

Passwords – an essential part of security, but often the target for attackers and the cause of a breach.

As most people will be aware, several high profile websites have suffered security breaches, resulting in millions of user account passwords being compromised. These sites have included business social networking site LinkedIn, online dating agency eHarmony and the music streaming site Last.fm.

All three of these sites have been on the internet for at least 10 years (eHarmony  is the oldest, having launched in 2000, the others were in 2002), which makes them truly ancient in internet terms.

Additionally, all three are very high profile, with huge user bases (LinkedIn claims over 33 million unique visitors per month, eHarmony claims over 10,000 people take its questionnaire each day and in April 2011, Last.fm claimed more than 50 billion user playlists) so you would expect that they were well versed in the threats of internet based attackers – which makes the recent user password compromises so shocking.

Using LinkedIn as the highest profile example, it seems that a malicious internet based attacker was able to extract 6.5 million user account password hashes, which were then posted on a hacker forum for people to try and “crack” them back to the original password. The fact that this has happened, points to some major problems in how LinkedIn protected  customer data (effectively it’s most important asset…) but, at the end of the day, no network is immune to attackers.

Unfortunately, LinkedIn had another major failing in that it appears it has ignored the last ten years worth of IT Security “good practice” advice and the passwords it stored were simply hashed using an old algorithm (MD5), which has been treated as “broken” since before the service went live.

(Sidebar: Hashing is the process whereby a password is altered from the plaintext version the user types in, to something totally different using a variety of cryptographic techniques to make it hard for an attacker to reverse engineer the original password. The idea is that the hash should be impossible to reverse engineer but this has proven to be an elusive goal)

Compounding on this error, LinkedIn failed to “salt” the password hashes, although this technique was understood and implemented in the 1970s. A password salt, is the process of adding some additional data to the password before hashing which can significantly increase the length and complexity of the password and done properly, renders most brute force attacks so time consuming as to be almost useless.

So, based on the available information, it seems that the LinkedIn password compromise was the result of some very old fashioned approaches which probably resulted from a misguided drive to reduce expenditure (something we have talked about several times in the past, most recently here) ignoring the possible consequences of a major data breach.

However, one thing which doesn’t make a huge amount of sense is that these password compromises have (again) led to calls across the industry for passwords to be considered a “dead” technology and how we should all replace it with (insert technology of choice – often the one the person is involved with selling).

An example of this – although this is far from the worst and, I suspect, it is just a title to attract attention rather than being a serious suggestion – came in SC Magazine’s online edition for 15 June.

In an article titled “The death of the password?,” Mark Knight (director of product management at Thales e-Security) gave a very interesting example of how passwords can be attacked and how compromises can take place.

Overall, there is very little which explains why passwords should be considered dead as a result of these breaches – which were actually the result of broader security failures rather than a failure or weakness in the concept of passwords (or even the passwords themselves). However Mark does give some very good advice on how users can improve their password handling (which is where the real weakness lies, not in the length or existence of passwords) but the overall approach falls down with this:

As we move towards smartphones and tablets where apps are able to store credentials on behalf of users, we are finding that we all use our passwords less: perhaps only to authorise higher-value transactions or to enroll new devices.

From an end user point of view, this may well be true. We authorise an app on our phone and everything seems to work.

However, every weakness he describes in the article still exists with the added problem of us being less aware of the risks as we no longer interact with the security controls ourselves.

Earlier in the article, Mark talks about how attackers can sniff passwords in transit:

Attackers often merely need to compromise an edge-of-network web server with some malware to steal every password as it is provided or to steal password hashes.

Which is all very true but it is not the fault of passwords as an authentication mechanism, it is down to poor security design. Using a smartphone app (or even multifactor authentication such as biometrics) would not protect against this because at the most fundamental level the client (the user) has to send something to the server as their identification.

In the case of authentication apps, this is often a cryptographically hashed version of whatever credentials the user presented (fingerprint, retina scan, code, pin etc), which is just as vulnerable to poor implementation as the cryptographically hashed version of their password.

Passwords are not the weak link. The problem, the security risk, the vulnerability is almost always the result of poor design decisions and incorrect implementations.

Dont waste money on additional methods of authentication, or shiny new software and hardware solutions, when the problem is simply one of implementation. It is likely to cost less to change your passwords to SHA-1 and add some good salt to the process.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

2 Comments

  1. 29 August 2012    

    I’d love it if passwords were dead because I can never remember them! They should be fewer in number, that’s for sure.

  2. 12 September 2012    

    Hi Beverly,

    Thanks for the comment.

    Remembering passwords is always hard work and I am not sure there is an easy way to cut down on the number of passwords we have to deal with on a day to day basis (other than simply not using web services…).

    However, it is worth keeping in mind that there is nothing wrong with writing some passwords down. All security controls should be threat based, but with passwords we fall into the trap of demanding every threat is deemed to be equally valid at all times. This is never, ever, true.

Recent Tweets Recent Tweets