Tuesday, November 30, 2010

Why Passwords^10?

I've been asked this many times: "Why would you do a 2-day conference on passwords & PIN codes?". I'm being told that passwords are lame and old-fashioned. Biometrics and 2-factor authentication are much better at providing better security. Some even refer to xkcd 538 to describe to me why password-only authentication is stupid. Allow me to explain a little...

I've been researching passwords for more than 9 years now. I've got more passwords now than I had 9 years ago. Many more, in fact. Not that I've asked for them voluntarily, but it's the only option available from most services. Some services, like my online banks (I'm using 3), uses a solution named BankID to authenticate me. It runs using Java (hooray...). Among other factors, it also uses a password for authentication. The technical password policy implementation currently allows anything as your password, as long as it is minimum 6 characters in length. Yes, that allows 123456 to be used as a password, although they do suggest to pick a stronger one to protect your financial life. I would suggest so too.

I'm using Twitter, Facebook, Google, and a WIDE variety of online services. I'm even using Microsoft Windows, but I guess there's nothing special about that. "Windows? You can get 2-factor and biometrics for Windows!". Sure. I even know some organisations who actually authenticates all their users using RSA Securid 2-factor authentication when logging on locally to Windows.

Problem number 1:
Fixed 4-digit PIN codes manually selected by their users is what you need to obtain (See xkcd 538 again), in addition to stealing that SecurID token. If the PIN isn't taped to the back of the token, that is. I've seen that before. Oh; and a PIN code is a password to me. I presume there are probably even more people in the world dependant on PIN codes in their daily life than there are people dependant on computers. Honestly; do you know anyone above age 16 that doesn't use or depend on PINs or passwords in their daily life? And when did you last change your PIN codes? Can't remember? aha. Thought so.

Problem number 2:
Of course using 2-factor like SecurID is a good idea. Usability is probably better, with less fuzz and "lost password" support calls. Well, here's a wild guess from me: I don't think all those service accounts used for monitoring, anti-malware, backup/restore, databases and similar services uses 2-factor authentication to log on. I don't even believe that shared accounts, test or demo/training accounts are equipped with SecurID tokens (I'm excluding the possibility of Skynet being present here). Unfortunately those are the accounts with the highest access levels in your Windows domain and individual systems in most cases, AND the most interesting targets for any attacker who wants full access while concealing their activities. Passwords win. Or loose. Depending on how you look at it of course.

I'm using GPG/PGP. Come get some.
I like AES. I like other algorithms as well. And your encrypted files and e-mails are protected through a private/public key system. Only you have your private key, and of course its protected by an amazing - you guessed it - PASSWORD. Without a centralized password policy for those GPG/PGP passwords, I believe many people will be using rather simple passwords to protect their private key. At least, my research shows exactly that - maybe as many as 50% will be on the absolute minimum of technical requirements implemented. 

So where do you store your private key then? On your personal home area on some server somewhere in the organisation? In the cloud perhaps? Where domain admins, backup administrators, helpdesk and many others can easily find and copy the file for further offline processing and brute-force attacks? Many organisations uses shared private PGP keys for a single department or function. If one person leaves, who knows whether that person made a copy-to-go of that private key? Would you consider that to be a potential risk?

I'm using superduper hard drive encryption.
Probably with pre-boot authentication (search for "evail maid attack" on Google), or direct boot into your OS-of-choice (probably Windows), with transparent full disk encryption, perhaps coupled with a TPM chip inside your computer. The evil maid attack will capture your password. Live memory dumps will give almost instant access to decryption keys stored in memory. Use your patience, wait for a new TCP/IP level  remote exploit to appear that allows you to attack and seize control of that computer with the encrypted disk and password/biometric protected screensaver.

...And I could go on for a long time with attacks and defences. Passwords are some of the oldest authentication methods we have to control access to some sort of resource - at least for computer systems. They were bad 5, 10, 15 and 20 years ago, and passwords created by humans are still bad. Almost no development in our password selections in 20 years, yet the techology to crack them have improved. Massively. And those bad passwords won't go away in the very near future.

At Passwords^10 we will talk about passwords and PINs because they are everywhere. They won't go away. We all use them in our daily lives. How we create them or crack them - both sides will be up for discussions at the conference. Many things can be done to improve the security passwords provide us with, while maintaining or perhaps even improving their usability for all of us.

I hope you will be able to join us at the conference. We're planning to make the presentations available very shortly after the conference, as well as video recordings of all presentations.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.