Lessons learned in password security 2013

As 2013 comes to a close, it’s time to reflect on a year of change for password security and the implications for the year ahead. Large scale security breaches this year (as with every year) have taught us that web apps still have improvements to make. Big improvements. Sites like Twitter, Facebook, Google, Evernote and Dropbox support two-factor authentication, but not by default. This hearkens back to the slow shift from using HTTP to HTTPS by default — but even that effort remains incomplete.

The challenge for web apps is how to extend security beyond a user’s browser. Even though the aforementioned sites didn’t suffer a direct password breach, several million passwords related to accounts on those sites were compromised. And the most likely culprit is malware on a victim’s system.

By using two-factor authentication, sites reduce the value of a stolen password because an attacker would also need access to the “second factor” in order to successfully access the victim’s account. The second factor is typically a mobile device that provides a temporal password via text message or dedicated app. Not only might people take more care in protecting their phone than their password, it’s harder to compromise phones on the same scale as the millions of passwords taken from this year’s Adobe breach.

Below are my top five predictions for password security in 2014:

1. Two-factor authentication will continue to gain momentum. We will also see the rise of smart crypto-engineering for multi-authentication passwords (Twitter is an excellent example). In spite of two-factor authentication, many web apps have APIs for legacy and third-party apps that require static passwords. Attackers will continue to probe APIs for weaknesses. And if a site neglects to use HTTPS, an attacker can always sniff cookies from Wi-Fi networks.

2. Expect to see improvements to password recovery mechanisms. Sites will de-emphasize security questions in favor of using mobile devices and mobile apps to recover accounts. However, losing a device can mean losing your account if a site’s password recovery mechanism isn’t flexible enough to work without it. And sites that email a user’s original plaintext password need to be shamed into using a more secure mechanism.

3. Database breaches will continue to expose millions of passwords. It would be nice to see sites follow Facebook’s lead whereby they proactively warn or freeze user accounts whose credentials were exposed by such a breach. This would minimize the amount of time an exposed password remains valuable and remind users they should use a unique password for their email account and different passwords for other accounts.

4. Cross Site Request Forgery (CSRF) will become more prominent as attackers craft exploits to take advantage of users who are already logged into a target web app. And bet on the mobile version of a web app to have weaker CSRF countermeasures than its web-based counterpart.

5. Phishing attacks will still be effective. The attacks may not scale like they have in the past, but targeted attacks will trick victims into divulging information that enables an attacker to take over an account or install malware on the victim’s system.

This year’s Adobe password breach also reinforced that passwords themselves need to be more secure. How can organizations prevent almost 2,000,000 users from choosing “123456” as their password? And will adopting two-factor authentication make users think they can be lazier about protecting their static passwords? Safari’s iCloud Keychain is a great step forward: Have the browser choose strong passwords for every site and sync them throughout the user’s devices.

Organizations will need to focus on what they can easily control to improve security. Increased two-factor authentication implementation, improvements to password recovery and reset mechanisms will be the main focuses of 2014.

Then again, once something becomes more foolproof, a better fool is invented. It’s not much different than trying to predict the future.

Don't miss