The Same Old Static Password Story is Getting Old

phoyer's picture

We all hear that they are insecure...

...but we continue to use them nonetheless -- the good old password or static credential (compared to a dynamic changing credential such as a One-Time-Password or full PKI authentication).

I want to draw your attention though to the fact that previously we have spoken about the vulnerability of passwords, where we speculated and tried to convince people that they were insecure. Since then, the world has changed significantly in the following ways:

1. The highly publicized attack of Anonymous group to HBGary. What is interesting in the analysis of the attack from ARSTechnica is that, although the attack was a combination of several techniques like SQLInjection, Rainbow tables, Social Engineering, etc., the main cause was the same old problem: Simple passwords (each was just six lower case letters and two numbers) and the same passwords used for different systems such as email, Twitter accounts, and LinkedIn, were also used for the administration of Google Apps email.

2. Through the increased activity of exploits to websites that protect their user accounts with passwords, and the publication of those passwords from groups such as Anonymous and Lulzsec, it is finally possible to scientifically analyze how inept we are in effectively using passwords, especially different passwords for different sites. One such analysis by Joseph Bonneau of HBGary and regarding passwords show that nearly 30% of users with the same email address use the same password.

3. The continuous exploitation and the sheer number of leaked passwords mean that the quantitative analysis of the passwords used makes it proportionally easier for the attacker to have a progressively more educated ‘guess’ for a random account password to attack.

This really means that now, more than ever, one should move away from using passwords and static credentials and embrace the use of APT resistant OTP tokens (see my blog entry ‘Not all OTP tokens are the same’) or adopt PKI-based authentication now that it can be implemented in an easily deployable appliance.