Long Live the Password — Even if You Don’t Want It To

In today’s interconnected world, we interact with applications and systems on myriad devices, from smartphones and tablets to desktop computers, baby monitors, wearable technology and even our cars. To access most of these applications and systems, we need to authenticate ourselves — that is, confirm our digital identity corresponds with who we are in the real world, whether it be to our bank, loyalty programs, food delivery services or ride sharing applications.

To authenticate, we need to share something to identify ourselves and some sort of shared secret, which in most cases is a password. This password is rarely unique to any one platform or very complex for that matter, unless the person authenticating their identity has a really good memory, writes it down or uses a password manager. In most cases, passwords are rather weak, and when they are, they can be easily guessed or cracked.

The problem with passwords is they do not scale. An individual could have hundreds of passwords while privileged users could have upward of thousands of passwords. Without a system in place to manage authentication secrets, users most likely will resort to using just a handful of passwords to protect a large number of accounts. This leads to a serious problem: If ever a server or website with minimal security is breached and passwords are exposed, either because they were stored in plain text or the victim used a weak password storage mechanism, then those stolen passwords can be used to access the compromised platform and a plethora of other accounts.

To combat compromise due to weak or stolen passwords, many organizations have implemented two-factor authentication (2FA) or multifactor authentication (MFA), demanding an extra piece of information in addition to the old password.

The Token Paradigm

2FA and MFA are authentication techniques in which the authentication process requires something you have and something you know. In the case of something you know, it’s the password. In the case of something you have, it’s usually a one-time code that can be generated by a hardware device of some type, such as a fob token, or a number of other physical devices. Or, it can be generated by software on a computer or mobile device (aka a soft token).

When you look into the details of how an authentication token works, it’s usually a hardware device seeded with a blob of cryptographic material that performs an operation on a clock synchronized to Coordinated Universal Time (UTC) or on a token counter to produce some sort of challenge response, usually in the form of an ever-changing six-digit number.

While this code isn’t a password, it is derived from an authentication secret that can be stolen should the 2FA/MFA server ever be compromised by adversarial actors. That sort of compromise could give attackers access to the entire series of second-factor codes and break the added security tokens can supply.

Biometrics — a solution that involves collecting digital information about a person’s physical characteristics, such as fingerprints, retinal scans, voice signatures, complete handprints and facial scans — can add security when layered. That being said, biometrics should be considered a username of sorts, since they cannot be revoked and modified if compromised. The user will forever have the same fingerprint. Furthermore, artificial intelligence (AI) can now allow for the replication of facial features and voice prints. In the recent past, researchers have demonstrated that gels can be used to copy fingerprints, and facial recognition has been sometimes fooled by a certain format of the user’s picture.

2FA/MFA by text message is another possibility of layering security, but its effectiveness has been deteriorating with the rise of mobile malware that can hijack these messages, by SIM card swapping/hijacking, which can be devastating to authentication systems that rely on it, and by larger scale attacks that can compromise the underlying communication protocol — Signaling System No. 7, or SS7.

Passwords and the Enterprise

Let’s look at the use of passwords from an enterprise context. Most enterprises run some sort of Microsoft Windows server, usually connected via network equipment and hosting multiple devices connected by a local area network (LAN) or wide area network (WAN). Managing access and availability to users relies on the network running smoothly.

While rare, networks do tend to have outages that can have an effect on user access and securing that access. To log in to a router, switch or other network device, a username and password are usually required along with, in some cases, multifactor authentication. Network devices normally have central authentication, such as Terminal Access Controller Access-Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS), that centralizes authentication, authorization and accounting (AAA, or triple A) user management. The central authentication ties into the organization’s active directory so that administrators don’t have to program their credentials into every device.

The problem with this scheme is that in the event of a network outage, security can be impacted as the layered authentication requirements melt away without the network’s support. Here’s how that could happen: The remote authentication server will be unavailable and an emergency password would be required to access the device. That would preclude the use of alternative systems such as multifactor authentication, certificates and other out-of-band methods, since the device will not be able to talk to its authentication server.

Active Directory Means Active Passwords

Now let’s take a look at Windows. Everything in Active Directory has an account, from users to privileged users to service accounts and even machines. Each of these accounts has an Active Directory password to authenticate itself to the network. Even when smart card use is enforced for authentication, a password is still set — it just happens to be set to a 128-character, randomly generated password.

While this may be secure in theory, with Windows, password hashes are password-equivalent, so if somebody manages to get the hash out of memory, they can then “pass the hash” and authenticate to the network without knowing the actual plain text password or passphrase. This means that even with smart card authentication enforced — which removes the password requirement — a password is still effectively set and can be compromised, often with tools readily available on the internet.

The bottom line is that as long as a password or passphrase can let someone in, it can also be compromised to let attackers in. And while the ideal solution is to get rid of passwords altogether, it won’t be easy and likely won’t happen soon.

In the enterprise world of Active Directory, passwords may never go away without extensive reengineering.

Password Insecurity in the World of IoT

Passwords are also a security issue in places where security is more of an afterthought. Let’s look at internet of things (IoT) devices, such as cars, medical devices, robots, routers, coffee makers, etc. The majority of these devices run some sort of Linux operating system and are not connected by a central active directory. They are, in effect, standalone.

These devices need to be serviced, which means they require an interface to log in remotely. The easiest form of authentication in this case is a password. Here, again, manufacturers set weak default passwords to the device, which users then rarely change. These weaknesses have resulted in the compromise of millions of connected devices that were made part of massive distributed denial-of-service (DDoS) attacks on major brands and communication infrastructures across the globe.

Is that about to change now that the risk is known? With millions of devices out there, the chances of them all being recalled and replaced with a passwordless authentication solution is very slim.

Passwords Are Dead — Or Are They?

Passwords still exist because they are cheap and easy to implement, but that does not mean they are very secure. Nowadays, doing away with passwords is top of mind for many service providers and nonprofit security organizations. There are commendable initiatives making strides, such as FIDO2, which aims to enable users to leverage common devices to easily authenticate to online services, and certificate- and risk-based authentication, which attempt to reduce the impact of password reuse.

However, to minimize the impact of a password, more diversity in authentication paths is also needed. If a token is stolen, you still need some sort of secret to prevent it from being used without your knowledge. Password managers, password length, entropy or randomness, and frequent cycling of authentication secrets remain among the best defenses against compromise. Here are some password best practices:

  • Passwords should be long, at least more than 12 characters and, ideally, 16 characters or longer.
  • Passwords should be randomly generated and look like line noise, such as ‘?G*T)MdC9R[4n}(m‘ or ‘6%8/4}LSy6]zfPq+‘.
  • Passwords should be secret and unique between sites, which means you shouldn’t use the same one in more than one place. Oh, and please don’t use the passwords above.
  • A password manager is a good tool to use; it can keep track of and cycle passwords between locations.
  • Passwords should be changed on a regular basis.

Minimizing the Impact of Password Weakness

People will inevitably choose poor passwords. They will reuse them between websites, and they will even use a variant of that password inside the enterprise. But there are ways to help the organization mitigate the impact of these hard-to-control issues.

To begin, frequent password audits are recommended. X-Force Red is an autonomous team of veteran hackers within IBM Security, hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. X-Force Red performs password audits using a password cracking cluster called Cracken.

During an internal penetration test, once X-Force Red gains control over the domain password, hashes will be extracted and then cracked with Cracken, which will allow weak passwords, such as Passw0rd, Spring2019!, Zaq12wsx, Qwertyui and Welcome1!, to be detected and remediated.

Cracken can also be used against password hashes stored in databases, on IoT devices such as car infotainment systems and anywhere else hashes can be found.

Frequent penetration testing is recommended to help uncover and strengthen weak passwords. You’d be surprised where passwords and other authentication secrets can be found.

Learn more about IBM X-Force Red