Tuesday, 14 February 2017

Passwords and usable security

Some notes on my exploration of password usability, password managers and Two Factor Authentication (2FA).
It appears we have a problem.
"Passwords are the most prevalent form of authentication in the digital age, and are the first line of defense against unauthorized access in most systems. Even if you are using some other form of authentication for a particular service, there’s still a password in the chain somewhere — it all comes back to relying on something somewhere being password-protected. But after 50 years of computing evolution, 123456 and password still top the list of most frequently used passwords. More than a billion passwords have been compromised in 2016, and we’ve seen breaches from companies such as Adobe, Twitter, Forbes, LinkedIn, Yahoo, LivingSocial, and Ashley Madison over the past years. Clearly, we have a systemic problem with password authentication – and it’s not going away any time soon."
We could Just give up: 123456 is still the world's most popular password.
We could: Follow the money -  Ross Anderson:
"Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Bank customers suffer when poorly-designed bank systems make fraud and phishing easier. Casino websites suffer when infected PCs run DDoS attacks on them. Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution"
We should start with Bruce Schneier. Why are we trying to fix the user instead of solving the underlying security problem? "We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do." John Podesta could not have used 'password' for his google email account because google won't let folk do it.

The threats

What are the threats to passwords? UK government guidance has the following:
Approaches to discovering passwords include:
  • social engineering eg phishing; coercion
  • manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names
  • intercepting a password as it is transmitted over a network
  • ‘shoulder surfing’, observing someone typing in their password at their desk
  • installing a keylogger to intercept passwords when they are entered into a device
  • searching an enterprise’s IT infrastructure for electronically stored password information
  • brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found
  • finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.
It has been pointed out that this does not include " data breaches. No matter how good a password if the attackers bypass it by stealing personal data from poorly-protected databases the technology becomes powerless. It is ridiculous that passwords and credit card numbers are encrypted but people’s personal data usually isn’t. Passwords are only one part of the issue."
Good real-world advice on threats for ordinary folk is to be found here:
There are a few ways your account passwords can be compromised.

  • Someone's out to get you. There are many people who might want to take a peek into your personal life. If these people know you well, they might be able to guess your e-mail password and use password recovery options to access your other accounts.
  • You become the victim of a brute-force attack. Whether a hacker attempts to access a group of user accounts or just yours, brute-force attacks are the go-to strategy for cracking passwords. These attacks work by systematically checking all possible passphrases until the correct one is found. If the hacker already has an idea of the guidelines used to create the password, this process becomes easier to execute.
  • There's a data breach. Every few months it seems another huge company reports a hacking resulting in millions of people's account information being compromised. And with the recent Heartbleed bug, many popular websites were affected directly.
The risks to the user clearly depend on the context of use. This does not seem to be considered in the literature. Possible use cases could include:
  • A US Secretary of State who steps out of the SCIF to use her personal Blackberry.
  • A bitcoin miner whose mobile phone account is hijacked to exploit SMS 2FA.
  • A Cambridge Professor of Security Engineering who refuses to use online banking with good reason
"...if you fall victim to an online fraud the chances are you will never see your money again...one of the banks’ most extraordinary feats of recent years has been their ability to shift liability away from themselves and on to the customer – aided by a Financial Ombudsman Service (FOS) that they claim rarely challenges the banks following a fraud."
  • A journalist talking to dissidents in a dangerous country.
  • Grandma logging into Facebook while staying with her daughter.
  • Grandma wanting to put her online affairs in order for her estate.
  • A student wanting to prevent his flatmates using his pr0n account when he is out.
  • A businessman going to the toilet while doing online business with the free wi-fi in a coffee shop.
  • A Civil Servant wanting to do home banking while at the office.
  • An agency ICU nurse called in at short notice needing to look up patient records.
  • A homeless person using a mobile phone to claim benefits and pay bills.
  • Someone on a list entering the USA and being asked to provide their passwords.
The threat is clearly feasible. How I became a password cracker shows this.
"At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn't know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing."
For cracking experts, it is frighteningly easy:
The ease these three crackers had converting hashes into their underlying plaintext contrasts sharply with the assurances many websites issue when their password databases are breached. ...The prowess of these three crackers also underscores the need for end users to come up with better password hygiene. Many Fortune 500 companies tightly control the types of passwords employees are allowed to use to access e-mail and company networks, and they go a long way to dampen crackers' success.

"On the corporate side, its so different," radix said. "When I'm doing a password audit for a firm to make sure password policies are properly enforced, it's madness. You could go three days finding absolutely nothing."... As Ars explained recently, the problem with password strength meters found on many websites is they use the total number of combinations required in a brute-force crack to gauge a password's strength. What the meters fail to account for is that the patterns people employ to make their passwords memorable frequently lead to passcodes that are highly susceptible to much more efficient types of attacks.

"You can see here that we have cracked 82 percent [of the passwords] in one hour," Steube said. "That means we have 13,000 humans who did not choose a good password." When academics and some websites gauge susceptibility to cracking, "they always assume the best possible passwords, when it's exactly the opposite. They choose the worst."

The state of guidance

I looked around for guidance that ordinary non-geeky folk might find and use. The state of guidance is Hmmm. A critical issue is lecturing folk about 'strong passwords'. Given the material above, what would a strong password look like? Some serious explaining is required. From my beginner situation, this and this from Good Housekeeping aren't great, and neither is this from Saga.
This looks good from CNET - but would folk find it?
This from Money Saving Expert has some interesting points, but it is hard for the lay person to evaluate the differences from other experts. The material from GetSafeOnline makes some assumptions about strong passwords, but has good points. This from the BBC has advice from Angela Sasse but is likely to be filed under "too difficult". All in all, the CNET advice looks good to me, but there is a real paucity of well-informed actionable advice (apart from what folk might find by Bruce Schneier).
I leave the last words to Eleanor Saitta ‏@Dymaxion "... Increasingly believe teaching security tools without a comprehensive systems literacy foundation is harm reduction at best, maybe harmful".

Update: Good material from Google here

No comments:

Post a Comment