Sunday, January 25, 2015

Brains Over Brawn

Oh so many years ago when my children were growing up I instilled the message that brains are stronger than brawn.  In other words, that thinking through a problem will usually result in finding an easier solution than simply applying more brute force.  The shady side of the Internet has figured that out and use socially engineered attacks and keylogging malware to get passwords in clear text..  It's about time that the good guys starting using their brains, stop suggesting stronger passwords, and start getting smarter at identifying and stopping authentication attacks.

I've written before on the statistics around passwords and that it is nearly impossible for a crook to simply guess anything other than the most simple of passwords, most of which inexplicably are allowed in most systems.  Passwords structured like "can9dy11" or "mis0s0up" require billions of attempts before they are likely to be guessed and shame on the IT department that doesn’t detect and prevent more than a few incorrect password attempts.  Ideas like taking a phrase like "I would like to destroy every password I have" and turning it into "Iwltdep1h" is great, at best, for passwords that don't ever have to change, but coming up with a new phrase every 60-90 days and repeating the learning curve to remember this formulation of password just doesn't make sense, unless you are one of the few that have a perfect memory and total recall.  Us normal folk just struggle to remember where we left our car keys.  Stop treating us like Einstein.  And then blaming us for choosing bad passwords.  Ultimately it's your fault Mr. or Ms. security professional that we do, because you allow us to use them.

A recent security headline was an OpenSSL bug that allowed an attacker to collect information stored in memory, which among other things could be your password.  No password was immune to this type of leak.  No combination of length, capitals, special characters or other "best practice" (a term I despise) offered any protection.  So what did I hear from every expert quoted in the press about how to protect yourself?  Choose harder passwords.  Would it have protected you?  No.  Would it have made the crooks job any harder?  No.  Did the interviewer ask that question?  No.  Would it drive you nuts having a harder to remember password?  Probably.  Would you be more than mildly upset when you found out this didn't help the least bit?  Absolutely!

The answer is to move beyond passwords and add some form of secondary challenge, at least for that small number of systems that contain financial, health or other personal information valuable to the crooks.  Let's try not to solve world peace here.  Let's get focused and truly solve the small part of the problem we really care about, for as many people as we can.  The clear technology winner, for now, is two-factor authentication. In a nutshell this involves entering a second code, but one you don't store in your brain. It can be delivered via a smart-phone app, a phone call, a text message or an email.  Many popular web sites, like Google's Gmail, Apple’s iCloud and Bank of America offer this as an option.  Check out for a list of popular web sites and if they support a second factor.  Would two-factor authentication have drastically reduced the risk associated with the OpenSSL issue?  Absolutely!  Was that ever mentioned?  Sadly not.  Makes you wonder if security folks really want the problem solved or just like to hear themselves talk.

We also need to detect authentication attacks and make a meaningful response.  Years ago I made a credit card purchase in Key Largo, Florida and immediately received a phone call to verify it.  Turns out that lots of fraud occurs in that area.  When I travel internationally I call the credit card company and tell them when and where I'll be.  I recently added the option to my primary credit card to send me an email every time a purchase is made on my card.  If I spot a charge I didn't make, I can call and have my account locked out.  These are simple, yet effective, methods to detect fraud and limit their impact.  These types of methods are also appropriate to IT security, and need to be routinely deployed to protect our most important online assets.  

It’s time to stop acting like John Henry, who believed his brawn was better than the brains that built the steam-powered hammer.  According to legend he succeeded, only to die in the effort.  Let brains prevail, or die losing the authentication battle.

No comments: