Passwords are today's keys

I’ve been thinking once again about how we go about identifying ourselves throughout the day. Or, to be more precise about it, how we go about authenticating our assertion of identity. For all the research and development that has gone into multi-factor identification, we seem to still be horribly reliant on username and password combinations in even critical systems. Much as I would like to pontificate on why we should change now, I know that the forces of inertia will keep things much as they are for the time being.

Which brings me to the point of this missive: password lockouts and other password management business. I was reading a very cogent article written by a friend of mine, Alec Muffett, on why “Three-Strikes” password security is not a very good idea, when it occurred to me how many best practices guides list this very control as “essential” in the world of corporate and government information security management policy.

I’d like to focus for a moment on just a couple of these points in the light of availability, because they’re on my mind:

• Minimum password complexity
• Account locking after a certain number of failed authentication attempts

Now, it’s worth recalling that one of the key precepts of computer systems is that the system should afford users a level of availability that is sufficient for the operating environment. However, I believe that these two bread-and-butter controls can so adversely affect availability as to be unusable in production environments.

Minimum password complexity stresses countering brute force attacks from password guessing and yet does not consider, in most cases, the limits of human memory. Who would want to try to even remember a random password? Instead, users write them down, which is a horrible breach of security in most settings.

While password techniques such as pronounceable passwords and passwords made up of natural language words strung together have been around for a while, the not-so-new innovation of using passphrases seems to be a superior alternative. In addition, recent experiences relating to modern web services show that graphical aids like “strength meters” and “password quality scores” can help users do the right thing without hitting them over the head with a stick.

Account locking is an invitation to denial of service attacks. Now, I feel pretty strongly about this, realizing of course that there are some operational environments where account locking is a must (such as in legacy systems where no brute force attack monitoring is possible).  However, in the general case account locking is a high cost operation that generates needless calls to software support centers. And from a technical perspective it is terrible, because modern authentication systems frequently use multiple authoritative databases against which to confirm credentials.  If the access credential data are, by dint of network architecture, stored in multiple locations, how is the system to keep an accurate track of how many times, and when, incorrect credentials were supplied?  Doing so would, in fact, fly in the face of the entire distributed nature of the system.

Which simply begs the question, why don’t we just move on to 2-factor authentication (2FA) everywhere?  It’s not a panacea, to be sure, but it’s a damn sight better than the state we’re in today.

I recommend you read Alec’s in-depth article on why many contemporary password management policies are flawed to the core.

Credits: Image of keys by Everaldo Coelho and used under the terms of the LGPL.

I should say a word about FIRST, a non-profit professional organization on whose board of directors I presently sit. I began my association with FIRST in its early years, when I was involved with computer security for a product line at Sun Microsystems. Since then, we have seen more and more emphasis put on how to react to security breaches of various kinds.  But FIRST is an unique organization, bringing together incident responders from across the globe in a common forum.  If you’re interested in learning more about FIRST, its annual conference, and the other work it does, by all means visit www.first.org.

Although this kind of security separation has historically been weak on personal computers, recent attempts to strengthen them in modern operating systems, such as Microsoft Windows Vista, have given rise to thinking about new kinds of attacks that could compromise computers in a protection ring even more central than the operating system itself. So it came as no real surprise to me that researchers recently attending the CanSecWest 2009 conference described a suite of tools and techniques that can totally compromise the BIOS of a computer, rendering all the additional security in the world ineffective.

This is a bit like the analogy of spending a large amount of money on an bank-grade bolt for a door that is hung on a weak door frame. The lock works perfectly well, but a burglar could easily enter by breaking the hinges from their mount. In computer security terms, even if we apply state-of-the-art operating system security techniques, a system whose “ring 0″ protections have been thwarted can be made entirely insecure.

This is not an easy problem to resolve, particularly in businesses that have large number of IT assets, such as laptop computers, in the hands of employees who typically show little interest in the security concerns of their employers. While we might expect hardware manufacturers to come to the rescue, the wide scale deployment of sanctioned remote access tools, such as Intel’s vPro framework, which allows for remote access at layers beneath the operating system, leave data owners skeptical of even highly diligent efforts to secure systems that are connected to public networks.

References:
Researchers unveil persistent BIOS attack methods, ThreatPost
Saavy hackers take the hardware approach, SearchSecurity.com

I remember going to my very first FIRST annual conference in Monterrey, Mexico, back in 1998. At that time, I was an an official representative for Sun Microsystems to the organization and was amazed by the level of international participation. Since then, interest in computer security incident handling has grown exponentially, and therefore the breadth of the audience has become far more diverse, both in geography and in mission, than it was even ten years ago. I think that this change speaks volumes about the information security business, and I think it’s a trend to which we should pay close attention.

My goal is to set out what I think incident handling will mean in the context of cultural changes in the information security handling profession. After all, even the smallest of organizations is investing — willingly or not — in response measures to security threats. In the face of the present economic downturn, it will be very interesting to see how many companies will remain interested in computer security.  But because even the most Luddite of company executives sees the risk that comes along with ignoring the perils of information security, I doubt the lights in the IT security department will be going out anytime soon.

If you’re in the information security industry, I highly recommend the FIRST annual conference.  If you can make it, by all means please attend!