Wednesday 25 May 2016

Why Passwords Suck- And What You Can Do About It!

ZeroDayLab's Cyber Security Specialist, Stuart Peck, considers the recent LinkedIn breach, passwords & security awareness.

So here I go with another article on how the Password is dead, one of 3,000+ of the same title this week, well not quite.
As with all publication of password dumps, especially high profile ones such as the LinkedIn one that resurfaced this week, (and probably one that LinkedIn wish had stayed firmly in the past), is that every security commentator, journalist or security researcher uses the event as a springboard to comment on how rubbish everyone is creating a strong password.  
And before I make my case I want to admit something, in 2012 my password was not very good, it had 10 characters, an upper-case, and numbers- but was not what I consider to strong by today's standards. But the password was changed on a regular basis, usually every 6 weeks, which is why I was not so worried about the original breach. 
Why Passwords Suck:Passwords can suck for many reasons- but these are my top 4 below. They are usually based upon a word, which can be guessed or extracted through social engineering:
Password123, 123456 (750,000 used this on LinkedIn), qwerty- seriously?!
Stored passwords are usually encrypted- but not salted which means they can be cracked easily by hackers using tools like Hashcat or John The Ripper. With so many accounts, passwords are mostly re-used even though everyone knows they shouldn't! 
In general passwords can be the weakest link in security, with most company security policy for passwords still being 8 characters, upper-case, special characters etc. which doesn't provide much protection from today's threats. 
This is becoming more of an issue with techniques used by attackers to crack or guess passwords, through a combination of social engineering and hash cracking tools. Furthermore, in a recent client project we were able to successfully crack 100% of 6 million hashed (MD5, SHA1, SHA256 etc), passwords 1.95 seconds.
What I am getting at here is not that passwords suck, but users suck at creating them, and have done so since the beginning of time, and companies that have a responsibility to protect users/customers information are still not hashing ANDsalting stored passwords! 
How Not To Suck At Passwords...Every security professional worth their salt will have a tried and tested method for generating a strong password, there are a few techniques that I train attendees in our cyber security awareness programs, with the most effective being:
“The only mistake in life is the lesson not learnt” – Albert Einstein
 1) Don't use a password but a passphraseThe most effective ways of generating a strong password that I use, is to use physical items from different locations in the office or home office, mixed up with special characters and most important multiple spaces generally more than 2-4 between each word.
An example could be: "5M!nt   20P%nce    RedLoung£   24_05.16"
Another good example of a passphrase could be an important date/event- but please not wedding, birth of child, or birthday of anyone you know! 
"B3st   Pr£nt4ti>n   Ev5r   25,,05..16"
2) If passphrase is too difficult then use a password vaultIf the prospect of creating a passphrase for every account fills you with dread then the best option may be one of the many password vaults. The benefit of password vaults is the ability to generate a strong and completely random password/phrase for all of your personal accounts, but make sure the master passphrase adopts the strong principles in point 1.
These tools do provide a good option for securing personal accounts but lack the ability to deal with complex systems within the enterprise, tools such as Lieberman Software will provide the scalability to deal not only with complex privilege account but provide protection from attacks such as pass the hash or exposure from password cracking tools such as Hashcat. 
3) 2FA (2 factor Authentication), everything! And finally use two step verification and 2FA for every account, everywhere, this will make it very difficult (not impossible), for hackers to access your account and also change your password.  
In fact Google is working on removing passwords altogether from Android devices through their Trust API by 2017, using biometric data and such as typing pattern, location and facial recognition. If this works maybe this is the start of, ahem, "the death of the password", until then, follow the above and you'll reduce the exposure of any potential attempted hack, and will make it more difficult for potential threat actors.

No comments:

Post a Comment