This article originally appeared in the November 2012 issue of INTERNET TELEPHONY
So far this year, millions of passwords and password hashes have been leaked from high-profile companies including eHarmony, LinkedIn (News - Alert), and Yahoo. At the end of 2011, Stratfor also fell victim to a password security breach when the hacktivist group Anonymous released more than 800,000 password hashes along with personal information and credit card numbers for its users.
In the midst of all these breaches, companies need to be asking themselves key questions such as: Were any of our employees’ passwords breached? (The answer here is likely yes.) Do any of those employees use the same password on our corporate network as they did on the compromised sites? (Again, probably yes.) And, if so, have all of those passwords been changed? (Not likely.)
While answering these questions is quite difficult, they illustrate the overarching point that more attention needs to be paid to password security within enterprise environments. It would be nice to imagine that these recent breaches will result in the universal adoption of two-factor authentication technologies, or at least password vaults, but those changes are not going to happen everywhere for both economic and usability reasons.
I have no doubt that we will see more password compromises in the future. Passwords are the oldest security control that we have, and they are probably the least understood. However, passwords are here to stay, and it is time for corporations to get serious about modernizing the approach that they take to password security.
<subhead>We need to abandon passwords in favor of passphrases.<subhead>
Today’s passwords are too short. Two years ago, the Georgia Tech Research Institute argued that any password shorter than 12 characters was easily broken with a PC and a graphics processor. Passwords that are longer than 12 characters aren’t really passwords anymore – they are passphrases, and we should start using them.
Many of the password rules that systems are enforcing can also be counterproductive. Forcing users to include a combination of random capitalizations and special characters, or frequently change their passwords, makes them hard to remember and leads people to use character substitutions that satisfy the requirements without adding security.
The worst password rule I have encountered is short maximum length, which is destined to result in bad security and makes the transition to passphrases impossible.Instead of imposing maximum lengths, we need to set the minimum lengths higher, and encourage users to create passphrases out of randomly chosen, unrelated words.
<subhead>Enterprises should adopt proactive password cracking.<subhead>
A recent study by Cambridge University showed that users will adopt bad practices in passphrase environments just like they adopt weak passwords. Examples include using short words or words that often appear next to each other in natural language. User education can help somewhat with this issue, but if you want to identify bad passwords and passphrases and force users to change them, the best way to do that is to do what the attackers are actually doing – set aside some computing resources to proactively crack your own password hash collection, and notify users whose credentials you’ve successfully cracked.
<subhead>Security professionals must acknowledge that passwords and passphrases are going to be compromised no matter what we do.<subhead>
There are an awful lot of username, e-mail address and password hash combinations circulating in the underground after all of the recent breaches, and these passwords are going to be used to compromise corporate networks.
The Advanced Persistent Threat is already coming into your network bearing legitimate access credentials. Mandiant reported that 100 percent of the attacks they investigated in 2011 utilized stolen credentials, while only 54 percent of compromised machines were infected with malware.
Organizations that are only focused on looking for exploit activity at the network perimeter can't see attacks after they've already gotten in the front door. IT security teams also need visibility into the internal network to detect and mitigate compromises after the walls have been breached.
Most enterprises aren’t even performing basic logging of internal network activity. If they discover that a computer has been compromised, they have no way of figuring out what the attacker did next on the network, or which other systems may have been tainted. In fact, Forrester wrote that, “The current state of network visibility is equivalent to putting your head in the sand.”
However, good internal network visibility enables you to do much more than just investigate known breaches; it can also help detect them. For example, if an account executive from Florida logs in from overseas while he is sitting in the office, you know something is not right.
Without tighter password security and higher levels of awareness over what is going on within our network environments, it will become increasingly impossible to thwart the ever-evolving threats we are facing today.
Tom Cross (News - Alert) is director of security research at Lancope Inc. (www.lancope.com).
Edited by Brooke Neuman