Wednesday, 21 January 2009

The Problem with Website Passwords

We are all consumers of the Internet and as consumers we are heavily reliant website a single username and a password to identify and authenticate ourselves into the vast majority websites, the number of different websites any one typical individual is tapping in a username and password combination, is not only an awful lot and but is always increasing. Typically we are talking in the excess of 30 different websites, which range from e-commerce shopping websites, online banking, an auction sites, social networking websites, online Email, forums and message boards, World of Warcraft and even blog sites such as this one, so the list of websites requiring an individual access credential by an Internet consumer is pretty endless. Yet if someone else were to find out and use our website access credentials for ill gain, it can turn into a stressful situation at best, or a costly time consuming soul destroying nightmare of identity theft.

However when it comes to the security of our website passwords, it tends to be overlooked and “taken for granted” by us, the website consumer, even though it fall within our own security responsibility. Be truthful, do you really use different usernames and passwords for each different website? Naturally the vast majority of people I ask do not use different passwords for each individual website, for the simple reason a menagerie of passwords on thirty plus separate websites is too higher burden for the average person, and so memorising all those different passwords is just unacceptable security trade off to be accepted by most folk. Yet using the same combinations of username and password credentials on different sites presents an increased risk, should a single account access credential be compromised.

The “Single Sign-On” Solution
This problem is far from a new one, and Internet egg-heads have being trying to crack it for many years now, and hoping to make a buck or two in the process. The answer to the website username and password problem is to replicate how this same age old problem was tackled and generally resolved within the corporate network environment. Over a decade ago the same problem was faced within the corporate IT environment; where there many different IT Systems requiring different credential combinations for individual access, in fact today this problem is still happening in the corporate world to a lesser extent.

The answer to the problem was to use “single sign-on” access to authenticate a user once and use that master authenticating to grant the appropriate access to the many other systems within the corporate environment. The “single sign-on” solution is fairly easy to implement within the corporate environment, simply because the backbone corporate network access system can be implicitly trusted, with it being the entry point perimeter for all individual access within the environment, the “master” the of access control if you like.  Using a “master” system for access control allows single sign-on access to be used to govern and control access to other IT systems and applications within the corporate environment. This has works well within private corporate networks, so we just need the same type of single sign on access for different Internet websites. So we require a perimeter “master” access control system, which can be implicitly trusted. Who can set this up and be implicitly trusted by the huge array of organisations and communities on the internet, oh that’s Microsoft, right?

Microsoft Single Sign-on
The Microsoft single sign-on system, originally dubbed “Net Passport” and now called “Windows Live” was launched many years ago with the purpose of being the de facto Internet website single sign-on, and indeed it was a real contender for a website single sign-on access. However for whatever reason (could it be trust?) it really never took off, with only Microsoft websites such as Xbox Live and the odd commercial website signing up to use the system.

Others have also tried creating a website internet single-sign, but it’s still all work in progress at the moment. I think one day a across the board trusted Internet single sign-on system will eventually happen, but I think it will be built around a more secure hardware token based system, rather than a password based system for access. However, the reality of today is the vast majority of websites require a username and password combination which is unique to that particular website.

The age old Password Problem
Using a username and password to control access has always been a problematic and far from a perfect security control. The specific problem is such as system is reliant on an individual memorising a password, which can cause the following yo-yo problem:

1. The first problem is people have a tendency to write down their passwords. The more complex the password requirement and the more difficult the password becomes to remember, the more likely the password will be written down by the user. Writing down passwords can pretty much remove the main purpose of having a password system in the first place. Another  to which cause people to write down passwords, is if the password reset process is cumbersome to the individual, they more likely to write down than go through it again.

In the corporate world I come many access control systems using over zealous password requirements.  For example a system using a complex password of at least 16 characters in length, with a forced change every 30 days actually increases the security risk of an account being compromised. The increased risk is simply because of the likelihood of the password being written down by the system users increases significantly.  In my view, best practice is to force passwords to be complex with at least 8 characters in length, with a 90 day forced change and 3 attempt account lock out. The secret is the account lockout, which safeguards the system against bruteforce attempts and negates the requirement for over lengthy passwords and over zealous forced password changes. However what is interesting to compare here is that it is extremely rare that account lockout is used on Internet websites, other than with the odd online banking websites, which means hackers can and do brute force website accounts.

2. The second problem with Internet websites credentials is with the actual password reset process.  Especially if you consider ecommerce sites, as the last thing they want is to make it too difficult for their consumers to access their shopping cart and to pay at the check out system.  From their point of view, if a customer can’t log in, they can’t spend, so it doesn’t make good business sense for them so make the consumer password reset process over difficult when consumers forget their password, yet this introduces a security weakness.

Let’s take for Sarah Palin’s (remember her?) online Email account which was easily “hacked” during the recent American election campaign.  Why was it easy? Well it is because her password reset question was easily guessable. In this case the password reset question was about her personal history, which just happened to be splashed across the media at the time.

If you look at the typical website password reset questions, What is your favourite colour?  What’s your post code? What’s your date of birth?  Where were you born? What’s your favourite sport?” What’s your dog’s name? What school did you first attend? What university did you attend?”   Obtaining your account name and your email address, or guess them in some cases couple with details about your background can be enough for a cybercriminal to access your website account.  You could find out the answers to most of these types of password reset questions using a search engine or within social network sites. In fact such personal details are sold by cybercriminals

I saw stats from the Serious Organised Crime Agency which said you can buy a complete package of UK personal data on an individual for £80.  Actually I find from my research it’s a lot less, around £20 per package.  What you get for your money along side a credit card or bank account information is a full profile, full name, full address, date of birth, educational history, and other miscellaneous information which can include pet names, and even children details. The bad guys even offer a guarantee it is correct!  So when looking at those typical website password reset questions, you can understand why individual profile information has a lot more commercial value than bank and credit card details, as well as for the identity credit theft angle, where such details can be used to obtain credit fraudulently.

I know some of some UK banks which use a single factor username and password, together with personal question (i.e. what’s your mother maiden name?) to gain to online banking.

Many website actually email a new reset password or even the original password to the individual. Although there is one type of online website which doesn’t Email passwords but displays them on the webpage, and that’ web based Email, which is common used technique which hackers, in going for control of the targets web based Email, which ironically allows them to read password resets from other websites.

So if the password reset process is too difficult, as with most online bank accounts (not all of them though!), the more likely the consumer will write the password down somewhere. Quite often I find users tend to store their website passwords on their PC, usually in a Notepad or within a Word document on their desktop, talk about putting all your eggs in one basket! Sure this is a different risk to using the same combination of credentials over and over again on different websites, but still presents a risk. If you must put all your eggs in one basket by storing them, there are ways to store them securely on your PC, which usually involves an application and remembering another username and password!

Another method often used is to automatically store usernames and passwords in the web browser, so they automatically populate the credential fields on the website. Again not the best policy, especially if the PC is shared or in a cyber cafĂ©. Credentials held in browser cache are not usually stored encrypted and can be easily recovered, and some malware applications actually targets such information. In fact 95% of malware (viruses, worms, etc), have one aim, to steal data, with website access credentials top of their list. There many different types of malware attack, which can be simple as recording a person’s key strokes and secretly forwarding those details on, and there is even malware which will scan for files and documents matching the profile of holding account and password details. It’s not too hard, go to your search box and search for “password” for example.

In the corporate world, for some reason people like writing passwords onto Post-It notes and sticking to their monitors, another place to check is under the keyboard, which is a favourite of IT folk for some reason.

1. Use different passwords with different sites. Especially ensure you are use unique passwords for those highly sensitive websites, such as your online banking and any e-commerce websites which store your payment card information.

2. If you need to store your array of passwords, ensure they are stored encrypted. You could use“password vault” application or encryption software such as TrueCrypt or PGP to create an encrypted file or folder.

3. Be careful setting your password reset questions.
Good systems let you set your own question yourself. If it does ensure it is a question that no-else could guess.
TIP: If a friend or close relative doesn’t know the answer to your question, then it’s a good password reset question.

If the system uses bad password reset questions, such as “What’s your first school? Lie in the answer and put something different that you remember, but ensure you can remember that lie!

In the corporate world it is best practice to change your passwords every 90 days, however most people never ever change their online password. But if you can find time, try to change your website password on annual basis.
TIP: Pay particular attention to older passwords on systems, which tend to use poor passwords complexity requirements, meaning they can be brute forced or are guessable.

4. Ensure your Anti-Virus is enabled and up-to-date.  95% of Malware (Virus, Worms), collect information, especially website login credentials, which can collected from browser cache (stored passwords) or from monitoring what’s typed by the user (known as a key logger).  Keeping your Anti-Virus up-to-date will help keep such malware at bay.


Gaell said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Dave Whitelegg CISSP said...

Many Thanks

Ben W said...

Do you have sources? I’m curious where I could find stats for things like peoples use of “(Typically we are talking in the excess of) 30 different websites” THANKS