Passwords are today's keys

I’ve been thinking once again about how we go about identifying ourselves throughout the day. Or, to be more precise about it, how we go about authenticating our assertion of identity. For all the research and development that has gone into multi-factor identification, we seem to still be horribly reliant on username and password combinations in even critical systems. Much as I would like to pontificate on why we should change now, I know that the forces of inertia will keep things much as they are for the time being.

Which brings me to the point of this missive: password lockouts and other password management business. I was reading a very cogent article written by a friend of mine, Alec Muffett, on why “Three-Strikes” password security is not a very good idea, when it occurred to me how many best practices guides list this very control as “essential” in the world of corporate and government information security management policy.

I’d like to focus for a moment on just a couple of these points in the light of availability, because they’re on my mind:

• Minimum password complexity
• Account locking after a certain number of failed authentication attempts

Now, it’s worth recalling that one of the key precepts of computer systems is that the system should afford users a level of availability that is sufficient for the operating environment. However, I believe that these two bread-and-butter controls can so adversely affect availability as to be unusable in production environments.

Minimum password complexity stresses countering brute force attacks from password guessing and yet does not consider, in most cases, the limits of human memory. Who would want to try to even remember a random password? Instead, users write them down, which is a horrible breach of security in most settings.

While password techniques such as pronounceable passwords and passwords made up of natural language words strung together have been around for a while, the not-so-new innovation of using passphrases seems to be a superior alternative. In addition, recent experiences relating to modern web services show that graphical aids like “strength meters” and “password quality scores” can help users do the right thing without hitting them over the head with a stick.

Account locking is an invitation to denial of service attacks. Now, I feel pretty strongly about this, realizing of course that there are some operational environments where account locking is a must (such as in legacy systems where no brute force attack monitoring is possible).  However, in the general case account locking is a high cost operation that generates needless calls to software support centers. And from a technical perspective it is terrible, because modern authentication systems frequently use multiple authoritative databases against which to confirm credentials.  If the access credential data are, by dint of network architecture, stored in multiple locations, how is the system to keep an accurate track of how many times, and when, incorrect credentials were supplied?  Doing so would, in fact, fly in the face of the entire distributed nature of the system.

Which simply begs the question, why don’t we just move on to 2-factor authentication (2FA) everywhere?  It’s not a panacea, to be sure, but it’s a damn sight better than the state we’re in today.

I recommend you read Alec’s in-depth article on why many contemporary password management policies are flawed to the core.

Credits: Image of keys by Everaldo Coelho and used under the terms of the LGPL.

The evening started with garlic, and lots of it. Frankly, I think that the amount of garlic that the chef cooked up at the start of the meal rivaled anything you could find at, say, The Stinking Rose in San Francisco. These ended up serving several roles during the meal: appetizer, beef accoutrement and post-meal rice accompaniment.

The meal was elegant in its simplicity and prepared in perfection.  As with most Japanese meals, there is a wide variety of flavor on offer during the meal, but no one element of the menu swamps the rest.  Instead, there is always a nice balance of color and intentional asymmetry during the meal, supporting a Japanese aesthetic view called “wabi-sabi.” (Not to be confused with “wasabi,” which is a strong spice used in Japanese cooking.)

Speaking of wasabi, I had never before considered using it with beef — it had always occupied a “use with sushi and sashimi” role for me before. However, at the chef’s suggestion, we tried topping the small, cooked cubes of beef that were delivered to our places with coarse salt, wasabi and, of course, some garlic. Doing so delivered a wonderful taste, and one I hope to repeat in the future.

The close of the main meal was signaled by the preparation and delivery of garlic rice.  Some of the garlic left over from the initial garlic serving was crushed into a white paste and warmed, while white slightly glutenous rice was cooked and seasoned.  At first the chef left the rice to slightly overcook (so I reckoned) on the bottom, but in fact he was allowing a small film of cooked rice to develop, which he tore off and set aside like a piece of paper.  Then the resulting rice was mixed together with the garlic and thoroughly cooked.  Once divvied up into individual bowls, the chef used the previously prepared, and deliciously edible, “rice paper” to decorate the serving before its delivery.

Once the meal was finished, we retired to an anteroom for a light dessert of mousse or fruit, accompanied by either coffee or one of the varieties of tea available.  Again, although simple in its preparation, the hand-made desserts were clearly a cut above.  My melon mousse was accompanied by a dollup of caramel ice cream of excellent quality. And the tea that followed made a nice end to a fantastic meal, surely one of the best I’ve ever had.

As a final note, I should point out that the restaurant, situated on the top floor of the Granvia Hotel and directly above the epic-sized Kyoto JR main train station, has a commanding view of its surroundings. In daylight it has a view of the mountains while at night the subdued interior lighting showcases the famous Kyoto tower that is just opposite the train station. A trip to this restaurant will set you back about ¥5,000~7,500 at lunch or about ¥10,000-12,500 for dinner, but it is surely worth every yen spent.

I should say a word about FIRST, a non-profit professional organization on whose board of directors I presently sit. I began my association with FIRST in its early years, when I was involved with computer security for a product line at Sun Microsystems. Since then, we have seen more and more emphasis put on how to react to security breaches of various kinds.  But FIRST is an unique organization, bringing together incident responders from across the globe in a common forum.  If you’re interested in learning more about FIRST, its annual conference, and the other work it does, by all means visit www.first.org.

It was a little bit unnerving to give a talk about Japanese language and business culture to an audience that included a large number of Japanese. After all, they would all have much more experience than I do in Japanese business settings. But I tried to make the case that the differences–things that lead to misunderstandings–are extremely important, too. I was really excited to get positive feedback not only from the overseas audience, but also from the Japanese audience. That so many people enjoyed the talk made me very pleased indeed.

Although this kind of security separation has historically been weak on personal computers, recent attempts to strengthen them in modern operating systems, such as Microsoft Windows Vista, have given rise to thinking about new kinds of attacks that could compromise computers in a protection ring even more central than the operating system itself. So it came as no real surprise to me that researchers recently attending the CanSecWest 2009 conference described a suite of tools and techniques that can totally compromise the BIOS of a computer, rendering all the additional security in the world ineffective.

This is a bit like the analogy of spending a large amount of money on an bank-grade bolt for a door that is hung on a weak door frame. The lock works perfectly well, but a burglar could easily enter by breaking the hinges from their mount. In computer security terms, even if we apply state-of-the-art operating system security techniques, a system whose “ring 0″ protections have been thwarted can be made entirely insecure.

This is not an easy problem to resolve, particularly in businesses that have large number of IT assets, such as laptop computers, in the hands of employees who typically show little interest in the security concerns of their employers. While we might expect hardware manufacturers to come to the rescue, the wide scale deployment of sanctioned remote access tools, such as Intel’s vPro framework, which allows for remote access at layers beneath the operating system, leave data owners skeptical of even highly diligent efforts to secure systems that are connected to public networks.

References:
Researchers unveil persistent BIOS attack methods, ThreatPost
Saavy hackers take the hardware approach, SearchSecurity.com