Posts Tagged ‘single sign-on’

By now one would hope that the worst of the Heartbleed crisis is behind us. All the servers should be patched, new certificates generated and passwords changed, right? The answers are: probably, hopefully and unlikely, respectively. Compromised passwords are still floating around in the ether so if you haven’t fixed them, do so.

But what about the next Heartbleed? One thing that is about as sure as death and taxes is that there will be another massive vulnerability that will, no doubt, expose millions of user accounts. So, do we just sit tight and wait for the oncoming storm or is there a preemptive strike you can make now to less the likelihood it will impact you in a big way?

I think there is and it’s the subject of my recent post to the IBM Security Intelligence blog. Take a read through it and stay safe.

I got a question recently from Tyler Dukes at the Raleigh News & Observer related to work on the “Stump the Geeks” column. A reader had developed his own, rather elaborate scheme for assigning unique passwords for each web site (a laudable goal). Here’s what he wrote:

Q. I’ve developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:

1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.

2. I simply change the “n” to any number for the ID and the “nn” to any number for the password.

3. Now I can store a Web site ID and password as, for example, “Macy’s 522.”

Say Macy’s wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macy’s Web site described as “Macy’s 522.” If you don’t know my basic structure, the “522” means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.

Am I lulling myself into a false sense of security, or is this scheme a viable solution?

The short answer is “yes.” Nice try but there are some problems with this approach. 

The article in the paper summarized some of the issues but I thought I would go ahead and put out my full answer here…

The password scheme described is certainly better than using the same password for every system but not really something I would feel comfortable hanging my hat on. First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack (i.e. trying all possible password combinations) is not nearly as large it would be if special characters like (e.g. *, &, !, %, $) and mixed case alphas were used. Also, the length of the password is not so long that an attack couldn’t be successfully completed in a reasonable amount of time. The key to better security with passwords is complexity. Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters. These should also change every few months and not be reused on other system. Any scheme that you reuse also runs the risk that if someone discovers your password on one system that they might be able to infer what it would be on others.


Of course, the problem with doing what I just recommended above in terms of password complexity is that, in general, making a password hard to guess, also makes it hard to remember. Rather than writing passwords down, which introduces yet further risks, it’s best to either use a password storage “vault” or, better still, a single sign-on tool that combines the vault with a capability to automatically enter the password for you. With this sort of software all you need to do is keep up with one complex password (rather than many) and then the program does the heavy lifting of generating strong, unique, random passwords that you never even have to know.

Finally, for even better security, a second mechanism can be added to the password (“something you know”). In this case you would also be challenged to prove that you have some unique device in your possession (“something you have”) or some physical characteristic unique to you (“something you are”). The latter involves biometrics such as fingerprints, retinal scans, voice recognition and the like. The former is perhaps more practical in many cases if the thing you “have” is something you are likely to keep with you most of the time anyway, such as a cell phone. This sort of two-factor authentication would involve logging in with your userid and password as always and then you might face a second challenge such as entering a one time PIN that has been sent as a text message to your phone or entering a temporary password that his been generated by an app on the phone. Google, Facebook and others offer this sort of scheme. Twitter, at this point, does not, although there are reports that this capability will be coming in the not too distant future. When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been see with a number of high profile Twitter feeds.

Since the time I wrote that Twitter has, indeed, come out with a two-factor authentication scheme — a welcome and long overdue enhancement. It’s not perfect but it is an improvement. If you use Twitter, you might want to take a look.

In perhaps the least shocking news you will hear all day, “password” is really not a great authentication secret for online accounts. Unfortunately, not enough people seem to realize this as, yet again, it topped the list of most popular passwords according to Splashdata, which analyzed results from some of the highest profile security breaches of 2012. Here’s the top 5:

1) password (#1 in 2011 as well)
2) 123456
3) 12345678
4) abc123
5) qwerty

No real surprises there. The next 5 are a bit more curious:

6) monkey
7) letmein
8) dragon
9) 111111
10) baseball

OK, so “111111” is easy to type and “baseball” is the national past time and “letmein”, well, that’s what you’re trying to do when you enter a password so I get all of that but “monkey”? Really? Maybe it’s best I don’t know…

Another interesting one came in at #12 and it was “trustno1”, which sounds like pretty good advice on one level but apparently the paranoia has reached such a level that it now causes a significant number of people to choose it as their authenticator.

Once again, I think this makes the case for single sign-on tools which can automatically generate strong, random passwords that they manage so you don’t have to break out the yellow sticky pads and post your secrets around the edge of your monitor…

What do LinkedIn, eHarmony and Yahoo all have in common? Other than the fact that all three are popular web sites with millions of users, they also share the ignominious distinction of having recent security breaches where massive numbers of passwords have been compromised.

As I wrote here recently, LinkedIn, a professional networking site, had an exposure of about 6 million passwords. The good news was that the passwords were hashed, which means they were obscured using a special, 1-way encryption technique which can’t be easily reversed/decrypted, if done correctly. The problem is that the hashes weren’t salted, which makes them less delicious — I mean, less secure.

Salting involves adding a random number to the password so that when it is hashed the results will be more unpredictable. This makes life harder for crackers (no, not the edible kind but the ones who break encryption schemes), who then must try far more combinations in a brute force attack in order to find what they are looking for.

So, all that stuff you’ve been hearing about cutting back on salt may or may not be great advice from a medical standpoint (that’s a debate for another blog) but scrimping on the salt when it comes to password hashing is definitely bad for your online identity’s health.

Then along comes eHarmony who not only skipped the salt, they also chose a relatively weak hashing algorithm (MD5) and, if that weren’t enough, they converted all passwords to upper case before processing them, thereby reducing the duration of a brute force attack dramatically.

Not to be outdone, Yahoo Voices, which currently holds the lead in this race to the bottom, not only did away with the salt, they didn’t bother with hashing either. That’s right — the passwords were actually stored in the clear and, ultimately revealed to all.

Yahoo’s position that this really isn’t that big of a deal since most of the accounts were dormant misses the larger issue and that is that, human nature being what it is, people tend to opt for the path of least resistance and use the same password for many (if not all) of their online accounts. This means that if I know what your Yahoo, eHarmony or LinkedIn password is, I’ve got a pretty good idea what the password is to your Gmail account, your bank account and so on.

The lesson here is that everyone should be using some sort of single sign-on or password storage manager so that they can maintain a unique set of randomly chosen, hard to guess, passwords for every site they visit and if you are on the IT side of things maintaining a store of user passwords, by all means, don’t skip the salt…

As I’m sure many of you have heard, the popular, business-oriented social networking site, LinkedIn.com, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?

In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article  below:

http://www.newsobserver.com/2012/03/19/1935703/passwords-are-still-securitys.html#storylink=misearch

Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…

Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.

All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.

I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.

IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from SourceForge.net. Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.

As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.