The Death of the Password
Using no more processing power than what’s found inside a basic smartphone, it is now possible to generate all possible 8-letter passwords in a few hours. Even scarier, noted security researcher and Twitter security chief Moxie Marlinspike offers a cloud service that can do it in about 20 minutes. With stats like these – which continue to break records with every advance in computer speed – it’s shocking how many companies still rely on nothing more than username and password to secure sensitive data.
Now is a seminal time in online security. The last 18 months have brought a tremendous push to store more information in “the cloud,” and to leverage the convenience, usability, and collaborative benefits it brings. Meanwhile, every day passwords grow weaker, remote hackers grow more devious, and the criminal underground grows more brazen, selling the tools for their crimes in open-air markets. These two forces are on a collision course, and the early indications of are already manifold: Dropbox, LinkedIn, Yahoo!, Gmail, and more have all suffered embarrassing, damaging breaches in recent months, and these are just the attacks that have made it to the headlines.
Yes, we’ve moved beyond “p@ssword” and “123456,” where even the hard ones, the “8 characters, including a mix of capital letters, digits, and punctuation” are falling by the wayside. For a long time, we told you to “never write it down,” but recently there’s been a total retraction. The chances of a slip of paper being stolen out of your wallet are vastly smaller than an international hacker remotely accessing your computer. Take a lesson from the marines with the nuclear launch codes and always pick a password that needs to be written down (or at least base it on a strong mnemonic, like in http://xkcd.com/936). If you can easily remember it, chances are it’s pretty guessable. Worse still, it’s probably already in somebody’s list (here’s a few million for free, or if you’ve got $300 USD, a list of a few trillion).
Yet “unguessable” only solves part of the problem. Relying on the assumption that it’s infeasible for someone else to know your password simply doesn’t hold anymore. From keyloggers to phishing pages to password reuse to rainbow tables to simple brute-force cracking, no matter how convoluted that string of letters, it’s simply not enough.
Moreover, nowhere is safe. It used to be the bad guys only hit the directly-monetizable sites. But as we discussed last week, criminals have become enamored of the “long con,” and are now patiently compiling dossiers on us all through the wealth of less-protected, but still information-rich, sites.
We’re not alone in proclaiming that passwords are no longer enough. In recent weeks, Wired, Deloitte, and the Atlantic Wire all weighed in on the “death of the password,” and their recommendations are the same: Companies cannot rely on passwords alone, and must deploy risk-based authentication, account compromise detection, and session anomaly detection to mitigate the exposure. Passwords probably can’t go away completely—they’re still the most convenient option by far—but in most circumstances they must be blended with an active, intelligent system to balance the risks, identify anomalies, and manage the attacks.
These systems are not trivial to build. Large cloud and identity providers like Google and Salesforce.com employ hundreds of engineers and an even larger team of security and fraud analysts to monitor and manage this growing problem. Inspired by this model, many smaller SaaS companies and cloud services providers have attempted to follow suit. Unfortunately, “home-grown” solutions suffer from a considerable “data silo” problem: No matter how smart their engineers and their algorithms, these systems can only see and learn from attacks against their own networks. A determined account hacker can spend all day cracking passwords on your neighbor’s site, then move onto yours with a clean reputation and not a stain on his record. And what are the chances that a brand new hacker attempts a brand new exploit and chooses yours as the first site he hits.
The solution, and truly the only hope we stand against these criminals and the tide of account hacking, uses another key trend in Cloud Security: Big Data. Using a “reputation clearinghouse” of threat information—where information on bad actors and their techniques and modes of operation are aggregated, digested, and synthesized—provides the best possible hope against the problem. This information can then feed into statistical models to predict bad behavior based on its precursors, rather than just sweeping up after the fact.
The best account hackers don’t work alone and they don’t attack only one site in isolation. Only by uniting our efforts do we stand a chance of defeating them and preserving our online information security from the rising tide of account compromise. And only together can we hope to weather through the death of the password.