Spyware, viruses and attack programs are making it easier to crack passwords. Are they still an acceptable form of security, or is it time they were put out to pasture? Helen Beckett reports.
Passwords have been used through the ages to establish whether someone is who they say they are. Whether you are engaged in the intelligence services or just logging on to your own computer, possessing a secret piece of information is a safe way of proving your identity. Or is it?
The exponential growth of computer power plus the availability of "grinding" and dictionary attack programs means it is getting easier to crack passwords. Just as worrying to chief information officers is the proliferation of spyware and viruses that can plant key logging devices on desktops and thus reconstruct passwords.
Added to these concerns is the parallel trend towards weaker passwords. As users own more digital devices and access greater numbers of applications, the result is password overload.
"It is simply impossible to remember them all," says Michael Schaefer, operations and IT director at Chase de Vere Mortgage Management.
The 40-strong team of salespeople at Chase de Vere have to access more than 50 lender systems and remember unique passwords for them all, which is an impossible task, says Schaefer.
"Passwords are meant to be easy to remember but hard to guess," says Jonathan Wyatt, managing director of technology risk at audit firm Protiviti. "Having multiple passwords with different points of expiry therefore creates a point of vulnerability."
Natural responses to this burden include a "one password fits all" strategy, or worse, writing the password on a Post-it note and attaching it to the front of the monitor. Another favourite is to create a folder entitled "passwords" and log all passwords for different applications. Wyatt observes all of these memory aids on a regular basis when he conducts technology risk audits for major companies.
This picture of sloppy computer security is confirmed by SecureTest, a company that specialises in infiltration and penetration testing. "We see weak passwords on critical systems all the time," says Ken Munro, SecureTest's managing director.
During an exercise at a large media group he discovered a password called "password" on the web interface of the content management system. "It gave us access to the crown jewels," says Munro.
However, Munro believes passwords still have a place as long as they are strong and are used properly. "Ideally, passwords should be an eight-plus sequence of characters and digits that is memorable to the user."
An example of successful password use can be found at mortgage broker Diamond Lifestyles, where a limited budget forced IT manager Michael Cowling to adopt a pragmatic approach to security. In practice, this means that computer security at Diamond Lifestyles relies solely on passwords.
"We are an SME and the cost of implementing an RSA secure token system and training everyone up would be too much for a small company to bear," Cowling says.
Instead, Cowling relies on a strict approach to passwords, combining the improved out-of-the-box features of Windows 2003 with rigid password policies.
Suppliers and users agree that managing passwords stringently is the key to retaining their effectiveness. However, in large enterprises with thousands of staff, policing the network to ensure passwords are strong and managing hundreds of "reset" calls may be an overhead that is just not practical. As one head of IT for a European manufacturing company puts it, "Passwords have had their day."
In vast corporations and organisations where data is particularly vulnerable, such as call centres or financial services, using a second factor of authentication makes a great deal of sense.
"Here, passwords have a short shelf life," says Simon Aron, managing director of Eurodata Systems. A second authentication method such as a token - a one-off password - is easier for staff to use than adhering to Draconian password policies, he says.
Justin McCauley, vice-president of mobile systems specialist Meridea, says that for business-to-consumer transactions that occur outside the firewall, not even a one-time token is sufficient, as it could be intercepted by a spoof site and then used in a fraudulent transaction.
To prevent such attacks, he recommends using passwords that are generated on the user's device itself and not sent over a network connection.
But rolling out yet another layer of technology is not always the answer. Biometrics technology is often touted as the solution to the password problem, where a unique human body part, such as a retina or fingerprint, is scanned and used as the password. However, poor implementation of biometric matching allows people to bypass the system, says Munro.
SecureTest recently managed to infiltrate a laptop protected by a biometric fingerprint device. By accessing the biometric software on the client, SecureTest managed to reduce the match threshold to 2% instead of the normal 90%. "Effectively, if you put anyone's finger on the scanner, the laptop could be unlocked," says Munro.
Although the knowledge of how to conduct a dictionary attack or subvert biometrics is readily available on the internet, it requires the mindset to perpetrate it. Typical security breaches are more mundane and tend to be carried out by internal staff in financial difficulties who spot an easy opportunity. "These attacks are unplanned and are usually extreme cases of 'hand in the till'," says Wyatt.
To defend against internal breaches, companies and IT administrators need to tighten their housekeeping routines surrounding authentication, and should police whether users have strong passwords by using sniffing devices. It is also wise to limit powerful accounts, such as human resources or payroll, to a particular device, rather than enable them on a roaming basis.
One of the most powerful deterrents is not technological, but having the strength to challenge. For example, when an employee phones the administrator with a request for access to data, most organisations never think to ask the converse, "What data do you not need access to anymore?" says Wyatt.
Similarly, helpdesks rarely call an employee's extension to check the veracity of their request, or check with the person's manager.
But IT needs to put its own house in order before looking to the wider population. "It is common to see development access to live systems on a shared account," says Wyatt.
Similarly, IT is responsible for poor coding that can render a password breakable. For example, an error message with the response of "invalid password" informs the hacker that they have guessed the user name correctly. With 50% of the information in their possession, grinding the password then becomes a real possibility, says Munro.
Vox pop: are passwords now past it?
Security testing expert: no
"Single factor passwords - user name and password - are more than enough to secure any system, so long as they are used properly. A strong password and user name will withstand a dictionary attack and a brute force attack.
"However, passwords are only as secure as the user who remembers them. Plus, the more complex a password gets, the more likely it is to be written down.
"A good password satisfies three criteria:
- It is never a word
- It has more than eight characters
- It is information that means something. Taking the first letter from a phrase is a good one, For example, 'I go to the pub every Friday' = ig2tpef."
Ken Munro, managing director, SecureTest
CIO, mortgage broker: yes
"Passwords were suitable five years ago but not any more. As a mortgage broker, we are required by lenders to interface directly to their systems.
"There are three rules for good passwords:
- Do not repeat a password
- Do not share it across a company
- Do not write it down
"I always remind our salespeople of this. But they log in to over 50 lenders' systems, usually via the internet, and are expected to remember over 50 passwords. Clearly, in this situation, they will do one of these three things.
"We submit a lot of sensitive information to lenders' websites and the security they use is generally one factor: user name plus password. Some require the user to click on an e-mail link they send by return to confirm who they are, and others use supplementary security questions.
"The firm uses a second factor: password generation from Swivel to secure remote worker access. The advantage is it generates a one-off token, sent to their mobile phone."
Michael Schaefer, operations and IT director, Chase de Vere Mortgage Management
IT manager, mortgage broker: no
"Passwords are workable as long as you are prepared to do an overhead of maintenance. They are not as secure as I would like for the long term, but they are getting better. Windows 2003 has raised the bar.
"Internally we rely on a Windows-hard password contained in the 2003 servers. Our group policy dictates an eight-character password containing upper and lower case letters and special characters. Users are not allowed to use any part of their name or other attributes referred to in the Active Directory."
Michael Cowling, IT manager, Diamond Lifestyles
CTO, security organisation: yes
"Passwords just do not work any more. As computers have gotten faster, password guessing has become easier. More complicated passwords are required to evade password-guessing software. At the same time, there is an upper limit to how complex a password users can be expected to remember.
"Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords down.
"For an organisation trying to improve access control, two-factor authentication is a great idea."
Bruce Schneier, chief technical officer, Counterpane Internet Security
This was first published in December 2005