Data breach epidemic shines spotlight on shared secrets

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
 

Connecting state and local government leaders

By

Comprehensive adoption of public key cryptography in two-factor authentication has the potential to completely eliminate mass password breaches.

Recent history has not been kind to businesses and consumers when it comes to Internet security.  From LinkedIn to Adobe to eBay, we continue to hear the same story:  X number of passwords/records leaked via company Y data breach.  According to Tripwire, the Adobe breach alone compromised over 234,000 accounts of military and government users.  While few can argue the extent of the problem, what do all of the data breaches really mean to password security, and what can agencies do about it?

At the root of the problem is the fact that passwords are nothing more than shared secrets.  The use of passwords means that there is a dependency and reliance on both the end user and the authentication mechanism by which the password provided by the user is validated.  Both ends have a critical role in ensuring the password is maintained as a shared secret. 

Unfortunately, the authenticating party has to store a copy of the shared secrets  in a data center somewhere. Even if proper security controls are designed and implemented from top to bottom, the nature of targeted attacks, operator error and software and hardware vulnerabilities (like the recent OpenSSL Heartbleed bug) prevent the total elimination of password breaches while the concept of shared secrets is in use.

Although the end user is typically not directly responsible for the mass password breaches we continue to see, the user does have a key responsibility as the other half of the shared secret model.  By taking a closer look at the recent breach data, we can get a good understanding of how responsible (or irresponsible) users are and, as a result, how effective user passwords are in protecting their accounts and other associated data. 

For example, “123456” and “password” are extremely poor passwords choices, yet these were the still most common passwords used on the Internet in 2013 according to SplashData.  Strong password practices may seem like common sense to security professionals, but typical end users do not usually understand the implications of using weak passwords. 

Online retailers also have a responsibility to enforce appropriate password policies to help protect their users.  However, most online retailers do not appear to be helping the cause with 55 percent accepting known weak passwords such as “123456” and “password,” according to Dashboard. Its Personal Data Security Roundup further concludes that 64 percent of top U.S. e-commerce retailers have “highly questionable password policies.” 

Finally, while strong password length and complexity requirements make it more difficult to crack a given password via brute force, even extremely strong passwords can be exposed in a mass data breach. 

Given the recent history and recurring headlines of new data leaks, there is no reason to believe that the number of mass data breach events will decline anytime soon.  In fact, issues such as password reuse provide even more incentive to adversaries who can use compromised credentials, not only at the source of the breach but anywhere else where the same password may be used.  While there are ways to better secure passwords when they are the only authentication option available, even a password consisting of a long and completely pseudo-random string of alphanumeric and special characters in the hands of adversaries after a data breach means the shared secret may no longer be a secret.

Two-factor authentication

In an attempt to address the issues with passwords, there has been an increase in the availability and use of two-factor authentication.  Banks have been using some sort of two-factor authentication for some time, and many other Internet sites, such as email providers and social networking sites, now offer two-factor authentication as well.

Two-factor authentication should be used wherever available in lieu of passwords alone. However, it is important to realize that most two-factor implementations still rely on the concept of shared secrets; instead of one secret (a password), there is now a second secret as well. If both shared secrets are compromised as a result of one or more data breaches, associated users accounts are also compromised. 

Many customers like Lockheed Martin learned this the hard way when RSA’s two-factor SecureID tokens were compromised in 2011.  While two factors are almost always better than one, this type of implementation is only effective if there is some level of certainty that all shared secrets will in fact remain secret.  Storing the multiple factors in multiple locations or data centers makes compromise more difficult, but sophisticated and persistent attackers can eventually reach their goal.  Additionally, these two-factor authentication approaches are also subject to man-in-the-middle attacks and provide little value to any system already compromised via other means.

So if usernames and passwords are no match for data breaches and most two-factor authentication approaches still rely on shared secrets, what else can be done to combat these ongoing data breaches? 

The critical technology is end-to-end security based on public key cryptography.  The federal government has been working on implementing smart cards as a second factor for nearly 10 years, though adoption rates are low. Homeland Security Presidential Directive 12 (HSPD-12) leverages public key cryptography embedded within the second-factor, personal identity verification (PIV) smart cards.  If implemented properly, public keys potentially exposed as a result of a data breach will be useless to an adversary without the corresponding private key stored within the physical card. 

While HSPD-12 is specific to government employees and contractors, there is nothing preventing private industry from adopting a similar approach.  In fact, the FIDO (Fast Identity Online) Alliance was formed in 2012 and strives to improve the nature of online authentication and reduce reliance on passwords. And OATH (Initiative for Open Authentication) is a similar industrywide collaboration to develop an architecture and open standards for strong authentication. The FIDO Alliance now hosts the U2F (Universal 2nd Factor) standards that attempt to scale the benefits of smart card technology beyond government and enterprises to every Internet user. 

Data breaches will continue, and the continued use of only usernames and passwords is obviously not working.  Will the federal government continue to lead by example via HSPD-12, and will private industry drive change via the public key cryptography bandwagon and standards like U2F?  With comprehensive adoption, this combination has the potential to completely eliminate mass password breaches. 

But until this happens, expect to see more headlines on compromised account credentials. If you can’t find any news on the most recent password breach today, you’re not looking very hard.

NEXT STORY: Windows Server 2003: The end is nearer than you think

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.