By Matthew Marx, Information Security Consultant at MWRInfoSecurity
With the number of high profile data breaches on the rise, users and organisations alike are more concerned than ever before with making sure that the sensitive information they handle remains secure. One of the simplest means of acquiring this information for an attacker, is to enter an organisation with the key to the door itself, user's passwords.
Authentication is the process of proving that you are who you claim to be. There are a number of digital methods that we use to prove that someone is indeed who they claim to be, but the most common form by far today is through using a secret piece of information, such as a password. This secret bit of information is intended to be something that only the user knows or has access to. However, all too often users choose something that not only isn't secret to them, but something common that many other users will end up choosing too.
Organisations are responsible for protecting their users’ passwords in motion and at rest. At rest, it is important that the password is hashed using a strong hashing mechanism. Ashley Madison is an interesting case study, because despite their users choosing weak passwords, they had attempted to protect the password with a strong hashing algorithm, bcrypt. It was not until the research group CynoSurePrime discovered a weakness in the way that the developers had stored an alternative version of this password that they were able to crack a significant number of the passwords.
In order for organisations to better protect themselves against password attacks, as well as implementing two-factor authentication, a strong password policy needs to be implemented. In addition to research being done around compromises like Ashley Madison, MWR have seen a spate of large breaches that began with a password compromise. The iCloud celebrity breaches rose out of a vulnerability discovered in a mobile API that did not limit the number of login attempts an attacker could make. Accounts that were not protected by strong passwords could be guessed by an attacker by exploiting this vulnerability. The JP Morgan Chase breach is another compromise that was widely reported on, and began with an attack that guessed a single weak password in 2014 (https://securityledger.com/2014/10/hacked_password_behind_compromise_of_75m_jpmorgan_accounts/).
The CPNI and CESG in the U.K. have recently released a helpful set of guidelines on how organisations and users can better choose passwords (https://www.gov.uk/government/publications/password-policy-simplifying-your-approach). Traditional wisdom has often said that the more complex a password is, the better. This wisdom has slowly been replaced with experience and practicality, as users have struggled to remember highly complex passwords and resorted to using predictable patterns to choose them. These patterns, such as capitilising the first character of the password and adding a digit and special character to the end of the password, make the password much easier to guess for an attacker. Instead, long passphrases are now considered generally more secure and can be easier for a user to remember. The passphrase, "Today I walked my dog" is significantly more secure than "[email protected]$$wORD_1" and easier for users to remember, and organisations should consider choosing length over complexity when they think about password policies.
MWR has spent several years conducting research into how to attack the mind-set of users when they choose passwords. Most recently, MWR collaborated with Carnegie Mellon University in the U.S., where it came out on top in a comparison of attacks against user passwords where they competed against another security firm and independent researchers (https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ur.pdf).
Perhaps the single biggest take away from the breaches that we've seen recently, is that users have not learnt from others’ mistakes. We're still seeing the same, weak, easily guessed passwords being used across accounts on the internet. Furthermore, the second lesson for organisations, is that storing passwords securely makes a significant difference in protecting its users. Storing passwords with a strong algorithm such as bcrypt, goes a long way in protecting users in the event of a compromise.