Data breach epidemic shines spotlight on shared secrets
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Jul 17, 2014
Recent history has not been kind to businesses and consumers when it comes to Internet security. From LinkedIn to Adobe to eBay, we continue to hear the same story: X number of passwords/records leaked via company Y data breach. According to Tripwire, the Adobe breach alone compromised over 234,000 accounts of military and government users. While few can argue the extent of the problem, what do all of the data breaches really mean to password security, and what can agencies do about it?
At the root of the problem is the fact that passwords are nothing more than shared secrets. The use of passwords means that there is a dependency and reliance on both the end user and the authentication mechanism by which the password provided by the user is validated. Both ends have a critical role in ensuring the password is maintained as a shared secret.
Unfortunately, the authenticating party has to store a copy of the shared secrets in a data center somewhere. Even if proper security controls are designed and implemented from top to bottom, the nature of targeted attacks, operator error and software and hardware vulnerabilities (like the recent OpenSSL Heartbleed bug) prevent the total elimination of password breaches while the concept of shared secrets is in use.
Although the end user is typically not directly responsible for the mass password breaches we continue to see, the user does have a key responsibility as the other half of the shared secret model. By taking a closer look at the recent breach data, we can get a good understanding of how responsible (or irresponsible) users are and, as a result, how effective user passwords are in protecting their accounts and other associated data.
For example, “123456” and “password” are extremely poor passwords choices, yet these were the still most common passwords used on the Internet in 2013 according to SplashData. Strong password practices may seem like common sense to security professionals, but typical end users do not usually understand the implications of using weak passwords.
Online retailers also have a responsibility to enforce appropriate password policies to help protect their users. However, most online retailers do not appear to be helping the cause with 55 percent accepting known weak passwords such as “123456” and “password,” according to Dashboard. Its Personal Data Security Roundup further concludes that 64 percent of top U.S. e-commerce retailers have “highly questionable password policies.”
Finally, while strong password length and complexity requirements make it more difficult to crack a given password via brute force, even extremely strong passwords can be exposed in a mass data breach.
Given the recent history and recurring headlines of new data leaks, there is no reason to believe that the number of mass data breach events will decline anytime soon. In fact, issues such as password reuse provide even more incentive to adversaries who can use compromised credentials, not only at the source of the breach but anywhere else where the same password may be used. While there are ways to better secure passwords when they are the only authentication option available, even a password consisting of a long and completely pseudo-random string of alphanumeric and special characters in the hands of adversaries after a data breach means the shared secret may no longer be a secret.
In an attempt to address the issues with passwords, there has been an increase in the availability and use of two-factor authentication. Banks have been using some sort of two-factor authentication for some time, and many other Internet sites, such as email providers and social networking sites, now offer two-factor authentication as well.
Two-factor authentication should be used wherever available in lieu of passwords alone. However, it is important to realize that most two-factor implementations still rely on the concept of shared secrets; instead of one secret (a password), there is now a second secret as well. If both shared secrets are compromised as a result of one or more data breaches, associated users accounts are also compromised.
Many customers like Lockheed Martin learned this the hard way when RSA’s two-factor SecureID tokens were compromised in 2011. While two factors are almost always better than one, this type of implementation is only effective if there is some level of certainty that all shared secrets will in fact remain secret. Storing the multiple factors in multiple locations or data centers makes compromise more difficult, but sophisticated and persistent attackers can eventually reach their goal. Additionally, these two-factor authentication approaches are also subject to man-in-the-middle attacks and provide little value to any system already compromised via other means.
So if usernames and passwords are no match for data breaches and most two-factor authentication approaches still rely on shared secrets, what else can be done to combat these ongoing data breaches?
The critical technology is end-to-end security based on public key cryptography. The federal government has been working on implementing smart cards as a second factor for nearly 10 years, though adoption rates are low. Homeland Security Presidential Directive 12 (HSPD-12) leverages public key cryptography embedded within the second-factor, personal identity verification (PIV) smart cards. If implemented properly, public keys potentially exposed as a result of a data breach will be useless to an adversary without the corresponding private key stored within the physical card.
While HSPD-12 is specific to government employees and contractors, there is nothing preventing private industry from adopting a similar approach. In fact, the FIDO (Fast Identity Online) Alliance was formed in 2012 and strives to improve the nature of online authentication and reduce reliance on passwords. And OATH (Initiative for Open Authentication) is a similar industrywide collaboration to develop an architecture and open standards for strong authentication. The FIDO Alliance now hosts the U2F (Universal 2nd Factor) standards that attempt to scale the benefits of smart card technology beyond government and enterprises to every Internet user.
Data breaches will continue, and the continued use of only usernames and passwords is obviously not working. Will the federal government continue to lead by example via HSPD-12, and will private industry drive change via the public key cryptography bandwagon and standards like U2F? With comprehensive adoption, this combination has the potential to completely eliminate mass password breaches.
But until this happens, expect to see more headlines on compromised account credentials. If you can’t find any news on the most recent password breach today, you’re not looking very hard.