The End of Passwords?
In this article we will cover how passwords are quickly becoming obsolete; many environments have already implemented newer stronger technologies that help keep the enterprise information assets secure. In this article we will explore reasons to start using new stronger authentication technologies and will cover some of the alternatives.
Passwords have been around for years; because of this, much vulnerability has been exposed around password technology. Passwords suffer from multiple vulnerabilities, like the ease at which they are copied, written down, cracked using brute force, shared amongst users and many other difficult to manage issues.
Specific policies can be structured around passwords to better secure them. Unfortunately the opposite effect can sometimes be experienced when the user's behaviour is not managed. The longer the password the more secure the password, the more complex the password even more security is added to the policy, users typically write these passwords down as they can not remember complex long passwords and thus rendering the password less secure.
At the last count most corporate machines were running a version of windows, mostly windows XP, according to recent statistics there are more than two billion registered windows XP machines. Because of this known variable attacks on passwords can be crafted in the following ways.
Active hacks and cracks can be performed and can be easier to detect. Active attacks are more easily detected as active passwords typically involve brute forcing but benefit from being live results so current credentials are captured.
Some active attacks like password sniffing over the WAN / LAN can take place without detection as most organisations have little visibility of their networks. In most cases WAN connections are remote and the passwords traverse public networks that are easy to monitor by hijackers.
Key loggers are technologies that have grown from strength to strength. Recent statistics revealed that hundreds of key loggers are released monthly. Some antivirus companies can detect these key saving technologies but with the influx of technology being released it is difficult to keep up with threats.
Some Key loggers are able to email the typed in keystrokes to the attacker, if you feel that your bank has secured your pin/password by presenting a keypad that you press on a webpage, some key loggers take screenshots of the areas of the screen that you click on, and email those through to the attacker as well.
When a machine is Offline, it usually means that the computer is off or that a copy of the password file (SAM file) has been made and a hack is being performed against the file whilst the user or administrator has little or no knowledge of this action. Typically, the result is positive for the hacker as the attacker can take their time. When they have the password, they can then logically or physically attack the local computer, either remotely (over the network) or locally by physically being on the computer.
Protect your password
If you are dealing with sensitive information, passwords are no longer enough to protect the system. However, here are some countermeasures to the attacks described above.
To Counter brute forcing, OTP one time passwords can be useful. For home users, this is not very practical, and so, another option would be to implement some form of two factor authentication, using tokens like the USB style tokens or the smart card style tokens. In Europe there is a great push towards the use of smart cards. Soon, smart cards will be used as authentication for driver's licences and to authenticate citizens. A move is afoot to offer internet and banking authentication on smart cards in the same form.
The use of personal firewalls is becoming more common, this technology does help, especially if a computer is infected with a Trojan or key logger and the personal firewall would stop the upload of the keystrokes and images, thus thwarting the attack.
Most antivirus vendors have produced intrusion/detection and prevention software bundled with their antivirus software. One free AV that our lab tested picked up the majority of key logging software that we installed on windows, but, when we installed a relatively new open source key logger on Windows XP, it did not and we were able to send keystrokes live over https... so the threat is defiantly out there.
The use of fully encrypted hard disks can be useful if your computer is left unattended or has been lost. What this means, is that boot up disks like ERD commander (MS official ware), Hiren (hack ware), ophtcrack (audit ware) and many others related to password hacking and attack technologies will not be effective against your SAM database, as the software will not be able to attach to the encrypted hard drive.
Most Encryption software offers pre boot authentication, this is an authentication screen that is presented before the machine is able to boot up. This screen acts like an additional access control that manages access to operating systems and other areas of the hard drive. Although not essential, it does help in restricting unauthorised users from access to other areas of the hard drive.
Strong authentication is the way forward; strong authentication is built up of two factors and is typically referred to as two factor authentication. Any of the following three factors can be used together to form strong authentication. Something unique to you (your eyes, fingerprints or voice patterns). Something you have (like a token, smart card, USB token, device, or physical item). Something you know (a password, PIN, Pass phrase and/or something you will type in that you have to remember)
Although this technology is traditionally more expensive and has shown to have a history of reliability issues, it has now come of age and is incorporated into most brands of laptops. The technology is now more mature and because of the speed of computers increasing, cost of the technology decreasing and reliability of the technology also increasing, it is now feasible as an authentication mechanism.
Examples of biometrics can be: fingerprints, voice, retina/cornea patterns, hand vein patterns, hand prints, face telemetry, body heat signature, written signature and signature dynamics and many other personal characteristics that are challenging to impersonate.
One Time Passwords (OTP)
OTPs have their place in the authentication game. Mostly used in remote access scenarios, these tokens are affordable and very useful when credentials traverse insecure networks and systems. Typically this solution authenticates the user and the single session, meaning that if the credentials were to be played back they would not be valid as they are only valid for the previous session.
USB tokens are typically used in combination with other mechanisms like passwords to form part of two factor authentication systems. These devices come in many forms, shapes and sizes but are typically linked to a USB interface.
Our labs are working with some of the most advanced token manufactures in the world. Soon, users will be able to buy a token for a home or corporate machine that will help manage the security of their laptop, desktop or mobile device. All this will be managed remotely (wherever the device is and no matter what the password is). The device will act like a token and can be kept with the computer because the device can be revoked remotely, no matter where the device is. The device will be capable of shutting down the computer and locking out the current user remotely. So, if an unauthorised user were to use the computer full remote management would be possible. This technology has so many features that governments and military organizations are currently testing it.
Notes from the field
As a security consultant, most of my security conscious clients have made a concerted effort to move away from the use of passwords. Any organisation that is serious about securing their IT asset has in the past two years started looking into two factor authentication solutions and has either started implementing two factor authentication and encryption or, has budgeted for these technical controls to be implemented in the next 18 months. Unfortunately, audit and compliance requirements are still lagging behind. You should however expect a move to make these technical controls a requirement for businesses in the next few months.
It is clear that passwords have now become obsolete and need to be used in combination with or replaced by other stronger authentication technologies. With billions of systems vulnerable to password weakness, 2009 will present a buoyant year for strong authentication.