Language Selection

English French German Italian Portuguese Spanish

Voluntary Disclosure Is the Threat to Password Security

Filed under
Security

Computers can remember complex bits of data effortlessly, but people routinely fumble that task. Naturally, one of the big trends in computing security is making users memorize complex passwords -- then regularly wipe those from their memory in favor of equally obscure replacements.

To judge from the stern advice handed out by banks, Internet providers and information technology departments -- often, I suspect, after prodding by accounting departments and liability lawyers who don't want to be blamed for a security breach -- computer security hinges almost entirely on you choosing a string of letters, numbers and symbols in an order that has no correlation to any word or phrase that has ever been spoken or written in English or any other language.

That's fiction. First, while avoiding obvious passwords still constitutes a common-sense defense, that won't stop most password theft attempts these days. Second, forcing people to choose the most obscure passwords possible, then choose new ones every few months, is more likely to grease the skids for a successful compromise of those users' accounts.

This is because passwords aren't stolen in ways you might expect; a bad guy doesn't sit down in front of your computer and start typing in guess after guess until he succeeds. In the real world, accounts are usually cracked in two ways -- only one of which can be slowed or stopped by the use of a sufficiently inscrutable password.

One is to get access to the computer that stores users' login info. If the master password file stored on that machine is encrypted -- it should be, but sometimes is not -- the attacker then runs a password-cracking program to break that encoding. Otherwise, he or she can read the file as-is.

The other method relies on someone surrendering a password voluntarily. For example, an attacker can hide a program on a victim's computer to record each tap of the keyboard -- often by exploiting an old, long-since-patched vulnerability in Windows or by hiding the "keystroke logger" in a tempting download.

Or the attacker can just ask nicely for the password -- what's called "social engineering." The victims can be technical staff at a bank or an Internet provider who get a call from somebody claiming to be a colleague elsewhere in the company. Or the victims can be individual users who receive "phishing" e-mails imploring them to verify their account information by clicking on a link to a phony Web site done up to appear like that of a trusted institution.

The quality of a password matters only against the first type of attack -- the brute-force, code-breaking assault, which will hit pay dirt more quickly if stored passwords appear in dictionaries.

That's why security experts tell password creators to avoid using real words or names, even when altered by substituting letters with similar-looking numbers or symbols (for example, replacing "i" with "!" or "1"). One common suggestion is to use words only as ingredients -- say, by combining the first letters of names of friends or titles of favorite books.
But if an attacker employs keystroke logging or social engineering, it doesn't matter whether your password is "password" or "92nkkcx-j1!" Even the most inscrutable login offers no defense against those tactics -- which are what most attackers seem to employ these days.

"If you go back 10 years ago, password cracking was the way to do things," said Marty Lindner, a senior member of the technical staff at the CERT Coordination Center, the network-security center founded at Carnegie Mellon University in 1988. Now, however, he said that phishing and other social engineering attacks are "far more prevalent, far more devastating than anything else."

Granted, getting actual numbers on how people's accounts were broken into is difficult -- few institutions want to discuss how some teenage hacker managed to own them. But there's no arguing that phishing and spyware attacks are only getting worse, and understandably so; why should an Internet con artist waste time mastering password-cracking routines when there are smoother roads into the bank vault?

And yet too many companies seem content to rely on password Puritanism as their response. Sometimes it's just silly -- for example, when some newspaper sites force readers to choose passwords with at least one number.

But more often, it's self-defeating. When users are pushed to remember too-obscure passwords, they'll start writing them down on Post-It notes stuck to a monitor or (worse yet) start reusing passwords among multiple high-value accounts. Worst of all is the policy of some companies and financial institutions to require users to change passwords every 30 or 90 days.

Not only do those periods still offer more than enough time for a minimally competent hacker to swipe an account login, the regular changing of passwords can easily soften up people for social engineering attacks.

Think of what happens every time a user must change a password -- or inevitably forgets the login of the month or the quarter: They'll have to go to a Web page or call up a help desk to get the password reset. That interaction represents a regularly scheduled opportunity for an attacker to try to step in and impersonate either party.

A few weeks ago, confronted by an obscure Web-mail login subject to one of these inane password-expiration rules, I called the support number listed on that site to have my password reset. (No, I won't name the firm involved). I expected to have the new login e-mailed to me -- but instead the helpful fellow on the other end of the line just read it to me over the phone, making no attempt to verify my identity.

If I'd been interested in stealing access to somebody else's account, I could have had a lot of fun. Instead, I could only wonder why we keep wasting our time with these illusory measures.
There are real problems with network security these days. But treating customers as if they were reprogrammable robots won't solve any of them.

By Rob Pegoraro.

More in Tux Machines

today's leftovers

  • MX Linux Review of MX-17 – For The Record
    MX Linux Review of MX-17. MX-17 is a cooperative venture between the antiX and former MEPIS Linux communities. It’s XFCE based, lightning fast, comes with both 32 and 64-bit CPU support…and the tools. Oh man, the tools available in this distro are both reminders of Mepis past and current tech found in modern distros.
  • Samsung Halts Android 8.0 Oreo Rollouts for Galaxy S8 Due to Unexpected Reboots
    Samsung stopped the distribution of the Android 8.0 Oreo operating system update for its Galaxy S8 and S8+ smartphones due to unexpected reboots reported by several users. SamMobile reported the other day that Samsung halted all Android 8.0 Oreo rollouts for its Galaxy S8/S8+ series of Android smartphones after approximately a week since the initial release. But only today Samsung published a statement to inform user why it stopped the rollouts, and the cause appears to be related to a limited number of cases of unexpected reboots after installing the update.
  • Xen Project Contributor Spotlight: Kevin Tian
    The Xen Project is comprised of a diverse set of member companies and contributors that are committed to the growth and success of the Xen Project Hypervisor. The Xen Project Hypervisor is a staple technology for server and cloud vendors, and is gaining traction in the embedded, security and automotive space. This blog series highlights the companies contributing to the changes and growth being made to the Xen Project and how the Xen Project technology bolsters their business.
  • Initial Intel Icelake Support Lands In Mesa OpenGL Driver, Vulkan Support Started
    A few days back I reported on Intel Icelake patches for the i965 Mesa driver in bringing up the OpenGL support now that several kernel patch series have been published for enabling these "Gen 11" graphics within the Direct Rendering Manager driver. This Icelake support has been quick to materialize even with Cannonlake hardware not yet being available.
  • LunarG's Vulkan Layer Factory Aims To Make Writing Vulkan Layers Easier
    Introduced as part of LunarG's recent Vulkan SDK update is the VLF, the Vulkan Layer Factory. The Vulkan Layer Factory aims to creating Vulkan layers easier by taking care of a lot of the boilerplate code for dealing with the initialization, etc. This framework also provides for "interceptor objects" for overriding functions pre/post API calls for Vulkan entry points of interest.

Logstash 6.2.0 Released, Alfresco Grabbed by Private Equity Firm

  • Logstash 6.2.0 Release Improves Open Source Data Processing Pipeline
    The "L" in the ELK stack gets updated with new features including advanced security capabilities. Many modern enterprises have adopted the ELK (Elasticsearch, Logstash, Kibana) stack to collect, process, search and visualize data. At the core of the ELK stack is the open-source Logstash project which defines itself as a server-side data processing pipeline - basically it helps to collect logs and then send them to a users' "stash" for searching, which in many cases is Elasticsearch.
  • Alfresco Software acquired by Private Equity Firm
    Enterprise apps company taken private in a deal that won't see a change in corporate direction. Alfresco has been developing its suite of Enterprise Content Management (ECM) and Business Process Management (BPM) technology since the company was founded back in June of 2005. On Feb. 8, Alfresco announced that it was being acquired by private equity firm Thomas H. Lee Partners (THL). Financial terms of the deal are not being publicly disclosed.

Servers and GPUs: Theano, DevOps, Kubernetes, AWS

  • Open Source Blockchain Computer Theano
    TigoCTM CEO Cindy Zimmerman says “we are excited to begin manufacturing our secure, private and open source desktops at our factory in the Panama Pacifico special economic zone. This is the first step towards a full line of secure, blockchain-powered hardware including desktops, servers, laptops, tablets, teller machines, and smartphones.” [...] Every component of each TigoCTM device is exhaustively researched and selected for its security profile based especially on open source hardware, firmware, and software. In addition, devices will run the GuldOS operating system, and open source applications like the Bitcoin, Ethereum and Dash blockchains. This fully auditable stack is ideal for use in enterprise signing environments such as banks and investment funds.
  • Enterprises identify 10 essential tools for DevOps [Ed: "Source code repository" and other old things co-opted to promote the stupid buzzword "devops"]
    Products branded with DevOps are everywhere, and the list of options grows every day, but the best DevOps tools are already well-known among enterprise IT pros.
  • The 4 Major Tenets of Kubernetes Security
    We look at security from the perspective of containers, Kubernetes deployment itself and network security. Such a holistic approach is needed to ensure that containers are deployed securely and that the attack surface is minimized. The best practices that arise from each of the above tenets apply to any Kubernetes deployment, whether you’re self-hosting a cluster or employing a managed service. We should note that there are related security controls outside of Kubernetes, such as the Secure Software Development Life Cycle (S-SDLC) or security monitoring, that can help reduce the likelihood of attacks and increase the defense posture. We strongly urge you to consider security across the entire application lifecycle rather than take a narrow focus on the deployment of containers with Kubernetes. However, for the sake of brevity, in this series, we will only cover security controls within the immediate Kubernetes environment.
  • GPUs on Google’s Kubernetes Engine are now available in open beta
    The Google Kubernetes Engine (previously known as the Google Container Engine and GKE) now allows all developers to attach Nvidia GPUs to their containers. GPUs on GKE (an acronym Google used to be quite fond of, but seems to be deemphasizing now) have been available in closed alpha for more than half a year. Now, however, this service is in beta and open to all developers who want to run machine learning applications or other workloads that could benefit from a GPU. As Google notes, the service offers access to both the Tesla P100 and K80 GPUs that are currently available on the Google Cloud Platform.
  • AWS lets users run SAP apps directly on SUSE Linux
  • SUSE collaborates with Amazon Web Services toaccelerate SAP migrations

Chrome and Firefox

  • The False Teeth of Chrome's Ad Filter.
    Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of trust in advertising that leaves massive user privacy issues unaddressed. Last year, a new industry organization, the Coalition for Better Ads, published user research investigating ad formats responsible for "bad ad experiences." The Coalition examined 55 ad formats, of which 12 were deemed unacceptable. These included various full page takeovers (prestitial, postitial, rollover), autoplay videos with sound, pop-ups of all types, and ad density of more than 35% on mobile. Google is supposed to check sites for the forbidden formats and give offenders 30 days to reform or have all their ads blocked in Chrome. Censured sites can purge the offending ads and request reexamination. [...] Some commentators have interpreted ad blocking as the "biggest boycott in history" against the abusive and intrusive nature of online advertising. Now the Coalition aims to slow the adoption of blockers by enacting minimal reforms. Pagefair, an adtech company that monitors adblocker use, estimates 600 million active users of blockers. Some see no ads at all, but most users of the two largest blockers, AdBlock and Adblock Plus, see ads "whitelisted" under the Acceptable Ads program. These companies leverage their position as gatekeepers to the user's eyeballs, obliging Google to buy back access to the "blocked" part of their user base through payments under Acceptable Ads. This is expensive (a German newspaper claims a figure as high as 25 million euros) and is viewed with disapproval by many advertisers and publishers.
  • Going Home
  • David Humphrey: Edge Cases
  • Experiments in productivity: the shared bug queue
    Over the next six months, Mozilla is planning to switch code review tools from mozreview/splinter to phabricator. Phabricator has more modern built-in tools like Herald that would have made setting up this shared queue a little easier, and that’s why I paused…briefly
  • Improving the web with small, composable tools
    Firefox Screenshots is the first Test Pilot experiment to graduate into Firefox, and it’s been surprisingly successful. You won’t see many people talking about it: it does what you expect, and it doesn’t cover new ground. Mozilla should do more of this.