New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI DSS

More Detail

PCI DSS User Group

User Group is for merchants to come and share experiences with fellow professionals. We have regular presentations from the card schemes and acquiring banks.

Find out more & join...

It's not the P4ssw0rd's fault

06 July 2017 by ProCheckUp

 

It's not the P4ssw0rd's fault

 

The objective of authorisation access controls is to ensure that the person seeking access is authorised. This control is most often associated with login credentials and procedures e.g., those requiring an ID and password. The effectiveness of passwords and their role in modern authentication systems is often questioned as there are many types of threats against passwords, and most of which can be only partially mitigated.

The need for more complex passwords has increased in response to faster processor and network speeds, however complex passwords are hard to remember and those which are easy to memorise are either too short or too simple to be secure. Nevertheless, for any system or resource that needs to be protected, one must not forget that technology alone is not enough. The greater the risk, the greater the need for strong authentication controls, so using risk analysis to identify and then rank risks by level of severity is vital.

 

A bit of history

 

Passwords have been with us for thousands of years. In the ancient world, passwords and watchwords in guarded camps, and in battles were how men, not having uniforms, recognized each other as part of a collective. Plutarch includes an account of Alexander appearing to Demetrius in a dream before the battle of Ipsus in 301 B.C., noting that the watchword they are going to give for the battle is “Zeus and Nike”.

In computing, the familiar login and password combination has been used since the days of MIT's Compatible Time-Sharing System (CTSS) in 1961. Even back then, users had to provide a username and password to access the system. Interestingly, security incidents were reported even then of users guessing one another’s passwords, and there was at least one leak of the master password file (then stored in an unencrypted form).

 

Password generation

 

There are two ways to generate passwords: automatic random (or pseudo-random) generation and user selection. Although automatically generated random passwords usually provide greater entropy than user-selected passwords and thus are stronger passwords, they can be difficult for users to remember.

There is a close relationship between the design and implementation of any authentication system (including two factor or multifactor), the end user’s expected behaviour, and the need for greater password strength. Unfortunately, users are the weakest links in the security chain, and user behaviour can be a difficult system component to model for any system developer. For instance, the security risk of any password-based computer system is that a user could potentially break the system’s security simply by disclosing the password to a third party, either accidentally, on purpose. Some examples of this include writing the password down, and choosing a password with a poor complexity that is easy for an attacker to guess.

Within the last decade, several devices and techniques have been introduced that can make authentication more user-friendly, convenient, and secure. These include smart cards, RFID cards, USB tokens, and graphical passwords, however text-based passwords remain the most commonly used authentication mechanism.

As attackers often target common passwords in guessing attacks and there are well known lists with common "insecure" passwords, creating systems that reject users’ attempts to create passwords that are in a blacklist of common passwords helps reduce password predictability. Attackers also target reused credentials, meaning that if an attacker has compromised a password through a targeted attack, it is likely that this password is used by the same user on another system.

One of the most common policy rules (and part of the general advice regarding passwords) is to change passwords often, and to use long, complex, and unique (not shared with other logins) sets of characters. This usually requires the inclusion of uppercase/lowercase, symbol and special character combinations.  However, common user attitude regarding passwords, such as adding numbers to make a password more secure can be often predictable as most users when adding a number will opt for common number (usually the numbers 1 or 2) at the end of a password and/or substitute certain letters with numbers (e.g. e with 3, a with 4, i with 1 etc.).

 

So much to remember

 

For most people, there are at least ten to twenty username password combos to remember, which can feel overwhelming and lead to the use of the same password for multiple logins. Here is a brief list of the most common:

Account

Credentials/Information

Financial: Bank cards (personal account, joint account, work account), Credit cards

ID, Password, Two factor with one off token generators, Security question or secret word, PIN number

General: Council tax, Inland revenue, Congestion charge account, Car insurance account, Amazon, Ebuyer, PayPal, EBay, Apple store, Internet provider, Mobile provider, Mobile phone, Home Internet access (portal, Wi-Fi), Personal emails (e.g. MSN, Google mail), Facebook, Twitter, LinkedIn,

ID, Password, Two factor with one off token generators, Security question or secret word, PIN number

Work related: Work workstation, Laptop, VPN system, Work email, Payroll system, Scheduling system, Network share, other onsite/offsite drives, portal, blog, Mobile phone, work Internet equipment access details (Wi-Fi)

ID, Pin number, Password, Secret question

 

It can be quite frustrating trying to pay for a purchase or for a service (e.g. council tax online) and not be able to access your account to complete the transaction because of a forgotten password. Compounding this is the fact that some systems do not email or text account reset information straight away, so a simple five-minute task becomes a half-an-hour task and can end up taking longer than a physical visit to a shop or bank. Password changes following such an event can lead users to be locked out of an account, and even greater levels of frustration.

Initially this leads to password changes that aim to satisfy the password policy enforcement rules, which often result to forgotten passwords as these password enforcement rules do not necessarily match the normal user behaviour when choosing a password. Typically, the user will make a poor password choice (e.g. using an insecure password and adding a predictable number), possibly changing the case of the first character or upper case, so that “password” becomes “Password123”). There is data to suggest that users who are asked to change passwords often do not select long, strong, and unique passwords. A study published in 2010 by researchers from the University of North Carolina at Chapel Hill looked at cryptographic hashes from 10,000 expired accounts that once belonged to university employees, faculty, or students who had been required to change their passcodes every three months, and identified common techniques account holders used when they were required to change passwords. A password such as "banana#1$", for instance frequently became " bAnana#1$" after the first change, "baNana#1$" on the second change and so on. Another common technique was to substitute a digit, or duplicating the last digit.

 

Another thing to consider is mobile devices and IoT

 

In the last decade, mobile devices are increasingly used not only for calling and sending text messages, but also for email, web surfing, social networking, and banking. Most of these activities require authentication, typically in the form of text passwords. The size and layout of the virtual keyboards affects the password entry and the effort required to navigate across pages often also results in poor password choices. What is interesting is that on a desktop based QWERTY layout, keyboard qwerty or asdfghj are common poor passwords that are often chosen by users. On a mobile device adgjmptw is a common poor password (as it formed by pressing the keys 2,3,4,5,6,7,8,9 in sequence).

 

Selecting a more secure password can be done following different methods

 

  • The mnemonic method, where a user selects a phrase and extracts a letter of each word in the phrase;
  • The altered passphrase method, where user selects a phrase and alters it to form a derivation of that phrase;
  • The altering words method, where a user can combine two or three unrelated words and change some of the letters to numbers or special characters;

 

Good security administration and system protections are essential to establish an objective basis for confidence in the security capabilities of any system. Having a process that is used to evaluate, concentrate, and maximise the computer security effort is crucial.

That can be broken down into the following:

   (1)  Identify what you are trying to protect.

   (2)  Determine what you are trying to protect it from & how likely the threats are

   (3)  Implement measures which will protect your assets in a cost-effective manner.

   (4) Review the process continuously and make improvements each time a weakness is found.

 

Risk analysis

 

It is unfortunate that organisations and users often forget to conduct even basic risk analysis when they select a password.  Signing up for online access to a bank account is not to be treated in the same way as signing up for a general forum or mailing list.

Assessing the level of potential damage and the level of protection is important. Choosing a password for a personal email might appear not to pose a high risk, but for how many online services this email account has been and is being used? Is this the email that you have used to register for your bank account, for your Council tax, for your Amazon, eBay and Paypal accounts, your internet subscription etc? How easy does it become for an attacker sitting on the other side of the world to brute force or guess your email password? And once he or she has successfully gained access to your account, how easy is it to use the information from your mailbox to take control of your life?

 

Password management technologies?

 

A password manager can be used to assist in generating, storing, and retrieving complex passwords from an encrypted database. Depending on the type, these include locally-installed software applications, online services that are accessed through website portals, and locally-accessed hardware devices that serve as keys. Password managers typically require their user to create and remember one "master" password to unlock and access any information stored in its database.

Password management technologies should carefully consider the requirements for usability as users may circumvent the technology by writing down passwords instead of storing them in local password management software. The security of the password management technologies, the security of the password storage used and transmission mechanisms should also be considered. Another important factor is how users authenticate to the password management technologies; if passwords are the form of authentication, then a compromise of one of those passwords would compromise all of that user’s passwords stored in the password management technology, potentially granting an attacker access to dozens of resources from a single password.

Organizations should also consider the impact level associated with the passwords that would be stored in a password management technology. If a technology is being deployed to support low-impact passwords, the impact on the day to day use, productivity, convenience is important. The idea that a system’s security should not interfere with the business operations and comply with business needs is often forgotten and sometimes causes frustrated users start questioning the need for so much security altogether when faced with complicated and regular password update requests.

Organisations need to protect the confidentiality, integrity, and availability of passwords so that all authorised users can use passwords successfully as needed. Considering security needs, the value of the asset to be protected, the frequency of authentication, the level of threats against the user and the expected user behaviour when deciding which password generation and expiration requirements. Any security solution should consider the environmental parameters and user attitude while incorporating continuous education, training, awareness and support.

Back To listing