The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams. - After much debate and analysis … there is the thesis
This topic came up for me last year as I was working through some large amorphous business processes. The question of credentials was raised, and we challenged it. This is interesting as we had some pretty serious brains in the room from the house of auditing, security, risk, and business leaders. I am sharing my thoughts here to seek input and additional alternate perspectives – seeking more ‘serious brains’.
I will update as feedback comes in … this and other posts will serve as workspaces to share the analysis and perspectives to consider. I am breaking this topic across different posts to allow for edits and pointed (critical perhaps) feedback on a topic basis. This is LIVE research, so understand impressions today may change tomorrow based on information and insight. Looking forward to collaborating, and with that … lets jump right in!
Passwords are designed to restrict access by establishing confirmation that the entity accessing the system is in-fact authorized. This is achieved by authenticating that user. Passwords / pass phrases have been the ready steady tool. The challenges to this once golden child cross the entire sphere, and I’ll be seeking your collaboration through the journey up to my RSA presentation in SFO at the end of February 2013!
- False premise one - Passwords are good because they cannot be cracked
- False premise two - Password strength should transcend devices – mobile, tablets (iPad, surface)
- False premise three - Password control objectives are disassociated from the origination and intent
FALSE PREMISE ONE: (Updated Jan.31.2013)
- Passwords are great because they are difficult to break?
The idea here is that users are trained (continuously) to use complex, difficult, long, and unique passwords. The concept was that these attributes made it difficult for a password to be broken.
Lets explore what that meant… When a password was X characters long using Y variety of symbols it would take a computer Z time to break it. Pretty straight forward. (This example drawn is for a password hash that is being brute force attacked offline) This analogy and logic is also true with encryption, but it is based on poor premise:
- Password cracking CPU cycles for a single machine are far more powerful than yesteryear, AND if we focus ONLY only on computing power, well the use of Cloud Armies to attack represent the new advantage for the cracking team
- Password cracking by comparison pretty much made the CPU argument (and length of time to hack) moot. There exists databases FULL of every single password hash (for each type of encryption / hash approach) that can be compared against recovered passwords – think 2 excel tables .. search for hash in column A and find real world password in column B.
Interesting selective supporting facts:
- A $3000 computer running appropriate algorithms can make 33 billion password guesses every second with a tool such as whitepixel
- A researcher from Carnegie Mellon developed an algorithm designed for cracking long passwords that are made up of combined set of words in a phrase (a common best practice advice) - “Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases.” This is research is being presented in San Antonio at the “Conference on Data and Application Security & Privacy” - New Scientist
Humans also pick awful passwords …
- Based on habit
- We trend towards the same passwords
- Based on grammer
- Our punctuation and writing habits also lend towards identification and passwords
To be continued ….. Part 2 and 3 will be shared soon, looking forward to more collaboration!
Keep seeking, everything.
- James DeLuccia IV