Last week was a terrible one for password breaches. First LinkedIn revealed that 6.5 million password hashes had been posted online. Hot on the heels of that revelation came the news that online dating website eHarmony and streaming music site Last.fm had suffered similar breaches.
Are these breaches a surprise? No, not really. Websites entice customers by offering compelling features and services, and those customers are rarely willing or able to compare the security properties of competing services.
Even if a website uses SSL to protect a password in transit, the password will typically be exposed on web servers and datacentre networks every time it’s supplied by the user before it’s hashed for comparison.
Compromising edge-of-network web servers
Attackers often merely need to compromise an edge-of-network web server with some malware to steal every password as they’re provided or to steal password hashes. Attackers may target what they perceive to be lower security social media services in the knowledge the same password may grant access to higher value services such as retail or banking.
Indeed, the banks have known this for a long time: this is why they prompt for random characters rather than the whole password and rely on a wide range of security questions or one-time pad (OTP) tokens.
It gets worse. ‘Hashing’ a password means obscuring the original plaintext into a format that cannot be easily read. It’s intended to be a one-way process which is very useful for storing passwords. Instead of storing a user’s actual password, you can simply store the hash and use this to check whether someone has logged on with the correct details.
Some websites originally used the legacy MD5 hashing algorithm to protect passwords. However, advances in cryptanalysis and computing power often make it necessary to move to newer, stronger algorithms. Many have considered MD5 to be compromised for around a decade but not all websites have upgraded to SHA-1 as yet.
Are stronger algorithms enough?
Even using a stronger algorithm alone is not enough. ‘Salting’ is the process of adding an additional layer of security by hashing the password with some additional random data to ensure the hash is unique and harder to crack. Unfortunately, some of the breached services (and doubtless many others) haven’t employed this technique.
Websites may attempt to upgrade the security of weakly hashed passwords by storing a freshly hashed password when each user logs in. While this is good practice, special care is still required to ensure that any copies of the weakly hashed password are securely erased.
Techniques to improve security would be as follows:
- prompt users for parts of their password rather than the entire phrase
- better still, minimise the reliance and exposure of passwords through the use of techniques such as two-factor authentication, certificate-based authentication or OAuth with associated strong cryptography
- deploy a dedicated authentication service to ensure passwords and their hashed representations are exposed in the minimum number of locations and can be securely erased when they’re no longer required
- encrypt hashes using techniques like transparent database encryption with HSM-based key management to prevent their hash theft and to simplify the secure destruction of old hashes
- replace any legacy hashes with randomly salted SHA-1 or SHA-2 representations at next user logon (and, better still, use a key stretching technique to reduce the rate that an attacker can test for dictionary passwords)
As we move towards smartphones and tablets where Apps are able to store credentials on behalf of users, we’re finding that we all use our passwords less: perhaps only to authorise higher values transactions or to enrol new devices.
However, in a world where the relationship between customers and service providers is increasingly spontaneous passwords will remain a convenient catch-all credential until identity federation becomes ubiquitous.
To be truthful, it’s time for all of us to think much more carefully about how we protect both our own passwords and those of others we serve.
Mark Knight is director of product management at Thales e-Security
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
