Skip to content

Page233

Passwords

Passwords have been the cornerstone for access control to IT systems. They are relatively easy and cheap to implement. Many online banking, stock portfolio services, private Web mail, and healthcare systems still use a user name and password as the access control method.

There are four types of passwords to consider when implementing access controls: static passwords, passphrases, one-time passwords, and dynamic passwords.

  • Static passwords are reusable passwords that may or may not expire. They are typically user-generated and work best when combined with another authentication type, such as a smart card or biometric control.

  • Passphrases are long static passwords, comprised of words in a phrase or sentence. An example of a passphrase is: “I will pass the CISSP® in 6 months!” Passphrases may be made stronger by using nonsense words (replacing CISSP® with “XYZZY” in the previous passphrase, for example), by mixing case, and by using additional numbers and symbols.

Passphrases usually have less randomness per character compared to shorter complex passwords (such as “B$%Jiu*!”), but make up for the lack of randomness with length. Most people find passphrases easier to type and remember than shorter complex passwords: we are used to typing sentences. Passphrases offer a reasonable tradeoff between security and ease of use: many users may be tempted to write down highly complex passwords, but can remember passphrases. Any static password is inherently limited, regardless of length or complexity: it may be stolen and reused.

  • One-time passwords may be used for a single authentication. They are very secure but difficult to manage. A one-time password is impossible to reuse and is valid for just one-time use.

  • Dynamic passwords change at regular intervals. RSA Security makes a synchronous token device called SecurID that generates a new token code every 60 seconds. The user combines their static PIN with the RSA dynamic token code to create one dynamic password that changes every time it is used. One drawback when using dynamic passwords is the expense of the tokens themselves.

Multifactor Authentication (MFA)

Multifactor authentication (MFA) requires that the user leverage more than one element in order to prove their identity for authentication. MFA stands in stark contrast to the classic single-factor method of authentication that requires only one method to prove an identity. The most common, and still ubiquitous, approach to authentication merely requires presentation of a username for identification and the password known to be associated with that account. Attackers have developed numerous, extremely successful, approaches to compromise password-only based authentication. There might be use-cases where replacing the password-only method of authentication with an alternative, yet still single-factor, approach does materially increase security. However, relying exclusively on any single-factor approach proves demonstrably less secure than migration to an MFA based solution.

For a simplistic example of MFA we can consider ATM or debit cards. A user can leverage a debit card in order to withdraw money out of their bank account. However, in addition to possessing the card, they must also input the correct PIN in order to sufficiently prove their identity. This prevents many types of attacks including a simple replay attack. In a replay attack, the attacker may have access to the PIN, but without the actual ATM card, they would not be able to withdraw the money. Likewise, the same logic can be used if the attacker copied the ATM card but did not have access to the PIN. Even a simple four-digit PIN, when coupled with requirements of physical possession, greatly increases the security of this authentication system.

Given the prevalence of attack techniques targeting passwords, some of which we discuss below, migration to authentication requiring any implementation of MFA proves an extremely valuable security control. However, not all MFA implementations provide the same degree of security posture improvement. While, strictly speaking, MFA does not necessarily require different types of factors to be employed, best practices warrant leveraging factors that would be unlikely to be successfully subverted simultaneously. Further, as organizations increase adoption of MFA, adversaries have likewise been focusing more efforts on compromising the additional factors employed beyond the typical static password.

When implementing or updating your organization’s approach to MFA, give consideration to the attack surface associated with the additional factors employed. Though employing any MFA represents a vast increase in security over single-factor password-only authentication, factors such as one-time passwords being sent to users via text messages or email represent much less robust implementations that are more easily targeted by adversaries.