Hurricane Labs

Basically, Password Strength Doesn’t Matter

The other day a friend of mine decided that it should be International Password Awareness Day. What an amazing idea and what should be the start of a movement for better passwords everywhere.

“I am declaring today as International Password Awareness Day. After being in InfoSec for almost 20 years I have found that the single worst problem we have created is poor password hygiene. Not only do we make terrible passwords, we allow others to make even worse ones without holding them accountable. So let’s all take a moment today to fix that. Change your password , ask your family, friends and coworkers to change theirs.”
– Chris Nickerson

Although that may be a profound declaration, I know my enthusiasm can get ahead of me sometimes. In taking a step back, I have come to realize that password strength still won’t really matter. Passwords are simply not enough when it comes to the shear amount and sensitive nature of the data we have in cyberspace today.

What we need to see more of is public-using services, so people can take advantage of Two-Factor as a method to strengthen the login process. This can be extremely important to the level of security surrounding whatever information needs to be protected.

Read on for more information or check out the screencast below for a visual walk-through of this blog post!

The Trifecta of 2-Factor Methods

Two-Factor Authentication is a method of identifying individuals by using two separate methods. Authentication methods can basically be broken up into three categories:

1. Something you are: A unique part of your body.
   1. Biometric (fingerprint, retina scan)
   2. Voice
2. Something you have: A physical device that you would carry in your wallet or on a keychain.
   1. Physical token
   2. Soft token
   3. Card with magnetic strip
   4. RFID card
   5. Phone (sms/app/phone call)
3. Something you know: A thing you can remember or keep in a safe place.
   1. Password
   2. Passphrase
   3. Pattern
   4. Pin

 Please, Implement 2FA BEFORE the Breach

On top of doing your best to increase password complexity, 2FA is an essential part of your defense in depth strategy – not just a bandaid for a compliance checkmark.

2FA is not a new concept. It was patented in 1984 by Kenneth P. Weiss and has been slowly gaining popularity throughout the years. One of the first widely adopted methods of 2FA were the card and PIN at ATMs. Now that the need to protect so many digital assets has grown we are struggling to implement it in environments and software that may or may not be backwards compatible.

However, there have been surprising amount of companies and services that decided to implement 2FA after a large scale or high visibility breach. Shown below is the widely known AP Twitter hack that brought the stock market down in April of 2013.

Twitter started offering 2FA in August of that same year, less than four months later. While you can argue that this specific hack may have occurred regardless, being a phishing attack, it’s still likely that 2FA could have lended a hand in preventing it.

Betcha J.P. Morgan Wishes They Had Heeded this Advice

One more thing I want to note, is the importance of securing endpoints and having a thoroughly secure infrastructure in place. There have been major instances, J.P. Morgan’s large scale breach in 2014 is an example, where attackers were breaching the architecture, not the authentication mechanism.

In the J.P. Morgan Breach, the names, addresses, phone numbers and e-mail addresses of 83 million account holders had been exposed in one one of the biggest data security breaches in history. Their major mistake? The foothold the attackers had gotten was on a server that had been looked over and didn’t have two-factor authentication enabled.

Let’s Take a Look at Another Real Threat Example

There are various ways that 2FA may fail to be the necessary security blanket, especially when it comes to poor implementation. Let’s look at an example.

Company A decides that they want to implement 2FA by using the push notification or “phone call” method. A criminal (or pentester) comes along to break in by utilizing phishing tactics, (which can possibly be combined with the use of passwords from a recent breach), or a password brute forcing technique.

Somehow they end up with a legitimate username/password combo, but they should be stopped from authenticating because of the 2FA… right? Not in this case. Although the user does get the usual alert, the notification doesn’t tell the user what they’re supposedly logging into. As a force of habit they acknowledge the alert and press the # key. Boom. The bad guy or pentester is in.

What Can We Implement That isn’t Going to Leave Us Exposed?

In the example above, “technically” it is 2FA and Company A can put a checkmark in the compliance box; however, it’s still an incorrect implementation and they’re still not leveraging the security potential of the software.

PIN creation is usually the option for a secondary form of authentication. This would be a more secure option, as there is not only the reliance on an action, but also the form of authentication that one individual is in possession of. But, is this fool proof?

This is still not a fully secure option. It’s still possible a keylogger could be used to take control of their second authentication PIN, as well as their username and password. Securing endpoints against Remote Code Execution (RCE) will be a large contributing factor to stopping these type of attacks.

Be proud of companies who are moving forward with software fixes. I watched a recent presentation by Josh Stone called “Practical Attacks Against Multifactor”. He worked with Duo Technologies (A well-known provider of  2FA solutions) to fix a vulnerability in how one of their methods handled the authentication traffic. Soon thereafter, they came out with a feature update that allowed the “double push” issue that Josh had found to be remediated as an opt-in. See more information on this here: “Practical Attacks Against Multifactor” presentation by Josh Stone (via YouTube).

Summary

The bottom line is that passwords alone are weak and adding 2FA can create another more secure layer that isn’t too difficult to deal with. Two-Factor Authentication is just another piece of the security puzzle. It’s not the savior for all of our security problems, but it is an essential part of your Defense in Depth strategy.