Extracting the weak link in password protection

Removing human interaction with passwords and automating their selection and frequency of change is certainly a step in the right direction says Richard Walters.

Extracting the weak link in password protection
Extracting the weak link in password protection

Everyone in the industry would agree that there are more secure alternatives and other authentication methods that can complement and may even eventually replace passwords. Perhaps unsurprisingly the top critical security control highlighted in the Verizon 2015 Data Breach Investigations Report (DBIR) was two-factor authentication (2FA). However, the password is going to be around for many years yet, and we should be doing all we can to make passwords better. For the vast majority of applications, they remain the only option. Although there is essentially nothing wrong with using passwords, barely a week goes by without a high profile data breach hitting the headlines as a result of weak or stolen credentials. Essentially, users select passwords that are too simple, too short and too predictable. 

Analysing actual passwords published from large scale attacks (including Sony and LinkedIn) show that more than 50 per cent are fewer than 8 characters, 50 per cent contain only numbers or only letters, and only about 1 per cent contain a non-alphanumeric character. Cracking more than 80 per cent of user-selected passwords is relatively easy, even if they're hashed in a database when stored. Even if salted and hashed, a high percentage will still be susceptible to brute force attack; the time needed to obtain the passwords becomes purely a function of the compute power available to the hacker. 

To make things worse (for themselves), users reuse the same passwords across different systems and services. Attackers who gain access to one service can then sign in freely to email, social media, online shopping and even mobile phone and bank accounts. Despite attempts to educate people on the importance of using even relatively long, complex, random unique strings, they don't. And they rarely change them.

So what is the solution to this age-old problem?

So what if we could improve the way in which passwords are implemented and take responsibility for selecting and changing them regularly away from the user entirely? Security – and the user experience – would be improved significantly.

As a first step, businesses of any size can cost-effectively implement automated password management practices to give employees the access they need, without them knowing or needing passwords to individual applications, through the use of a Single Sign-On (SSO) solution.

The introduction of dynamic password management is a major step forward and a game changer for the industry. Whilst we can't take people completely out of the process, dynamic password management takes over password selection and change for web applications from the user, ensuring that passwords always remain long, strong and unique across every selected account. In fact, the user will never see – or need to remember – their application username or even their password.

This moves passwords closer to the tokens and assertions that are used in federated identity and authentication standards, including SAML and WS-Federation. Pre-defined trust between the identity provider and service provider, typically based on a shared certificate, is mimicked by either having the user enter their current (initial) password so that the SSO solution can subsequently change it, or the SSO solution may provision the account and set the password from the outset.

Removing human interaction with passwords and automating their selection and frequency of change is certainly a step in the right direction. This approach protects the individual by ensuring that if a large scale breach does occur, then the stolen password is unique and not reused across multiple services. When applied to internal accounts on internal systems, it may slow down an attacker and even prevent a breach from happening altogether – safeguarding business information and integrity.

Contributed by Richard Walters, general manager and vice president of Identity and Access Management (IAM), Intermedia