When high profile password compromises occur, we often spend a lot of time focusing on advice to the users – “Use strong passwords;” “Don’t reuse passwords across sites;” “Don’t write passwords down;” “Don’t disclose your password via email or on an untrusted site;” and so forth.
User-centric scrutiny is a good place to spend time when we’re dealing with phishing attacks, but it doesn’t help much if an attacker breaks into a company’s systems and grabs the entire password database. In that case, they’ve grabbed all the weak passwords, but they’ve also grabbed the strong ones, too. In some cases, the attackers may also gain access to information that is even more valuable than the credentials themselves.
We’re used to asking the obvious questions like, “Were the passwords encrypted with a salted hash,” and “Does the web site use a secure form for logins?” From my interactions with breached companies, I believe we need to zoom out and look at password security from a broader perspective. Here are some areas that would benefit from greater scrutiny.
A lot has been said about multi-factor authentication, and it can add quite a bit of security to a system. However, some of the implementations I’ve seen have some real issues. Here are some things to look for – either in your own systems, or those run by your partners and suppliers:
Secret questions that aren’t so secret. If you use “secret questions” to verify users’ identities, make sure the questions and the answers are not stored in the clear on your systems. I’ve seen cases where companies were storing the passwords securely, but the secret questions and answers were in the clear, so attackers were able to use stolen user ID’s and the answers to the secret questions to reset any user’s password, regardless of how strong their previous passwords were.
Easy circumvention of your security. It is quite common for sites to have an “I forgot” workflow which can be used if you forgot your password, or you forgot your 2nd factor of authentication. In these workflows, pay close attention to how they could be circumvented. For example, if you forgot your security token or other 2nd factor (like an authenticator app), sites often resort to secret questions which could be either easily guessed, or made ineffective through the weakness I outlined in the previous point.
I’ve seen companies that allow you to use a text message or an email to authenticate when you’ve forgotten a token. That can be a good approach, but I’ve seen flawed implementations that allow you to specify the email address or mobile number from within the “I forgot” workflow, which means anyone can bypass your 2-factor authentication.
Other weaknesses that make it easier to compromise your security include:
- Unlimited numbers of guesses when someone has forgotten their password;
- Emailing both the user ID and a temporary password to a user in the same email;
- Not forcing password changes after a temporary password has been issued;
- Emailing the user’s current password to them (that indicates that you probably aren’t storing the passwords securely in the first place, by the way);
- Securing the passwords, but not adequately securing the customer data itself (in other words, if you have the right URL, you can bypass the authentication process, or by authenticating as one user you can access another user’s data).
Offline processes that are weaker than online processes. I’ve run across situations in which it is difficult for a user to spoof a legitimate user’s identity through the online authentication process, but companies made it very easy to gain access to a user’s account by jumping out of the online process. In these cases, attackers called the company’s call center and were able to bluff their way through a process to reset a password. In some cases, they were even able to get the call center rep to verbally supply a temporary password over the phone, or to send a temporary password to an email or mobile number that wasn’t previously associated with the account. Very significant flaw in the system, don’t you think?
These are just a few examples of issues that can creep into systems we’re trying to secure, and I’ve seen them often – even in organizations that generally do a good job with security. I think one of the challenges is that we often have too narrow a perspective when we’re implementing security, and we’d benefit from some good, solid “red team” exercises in which we think like attackers and try to circumvent our own security controls. Conducting closed community tests (either with employees, partners, or others in your inner circle) can also be helpful, since you bring in a fresh set of eyes to try the process of trying to thwart your system, and they may think of things you didn’t. Prizes and recognition also help in this process, to up the level of effort outside parties exert to try to show you up, by the way.
In summary, while it is good to focus on user education to increase the security of passwords and authentication, remember to turn a critical eye toward the parts of the systems you manage and control, as well. Thinking about things from a broader perspective that encompasses the technology and processes relating to user authentication, as well as scrutinizing the exception processes, can often uncover important weaknesses in your security.
Even if you think you’ve got it covered, this is an area in which I advise a “trust but verify approach” to ensure that it works the way you think it does. Take the necessary steps to ensure that your organization is treating password security as more than a user problem.