Darkness Lies Directly Under the Candle

Written on November 1, 2012 by Nirav Mehta

Comments

Far too often, we fail to see the obvious weaknesses in our defenses.  Over 50 million consumer passwords have been reported stolen in 2012 alone in highly visible ‘smash and grab’ attacks.  Yahoo, LinkedIN, Zappos, eHarmony…the list goes on.   This is the equivalent of robbery in broad daylight.  How did we as an industry let this happen?   The answer reminds me a lot like the title of this post which is also an ancient saying that has rung true for ages. 

First, let’s give credit where it is due.   Website operators have been proactive in shoring up their defenses including: 

  • Web application firewalls and a variety of network defenses to thwart attacks
  • Advanced forensic tools to detect and trace malicious activity
  • Multifactor and risk-based authentication tools to augment the quality of authentication provided by passwords

But, the simple truth is that good old passwords remain at the foundation of this multi-layered defense.  We failed to ask a simple question – ‘Are the passwords properly secured where they are stored?’ We have the equivalent of installing a digital motion sensing alarm at the front door while the backdoor is secured with string.    Why?   Because the technology used to protect the stored passwords has become outdated.   Several websites simply hash passwords while some store salted hashes.  Current state of the art of cryptography and the compute power available readily to attackers have made it possible to crack 100,000 passwords in just a matter of hours using inexpensive hardware.  Hashing and salted hashing are no longer adequate protection for stored passwords.   Attackers have taken full advantage of these advances to bring down the outdated defenses protecting stored passwords.

Granted, individual passwords are often weak and phishing attacks continue to threaten the security of the individual user.  But, the threat of en masse theft of millions of passwords is even bigger and too grave to be left unaddressed.  The impact of a realized threat is high because users tend to use the same passwords for multiple websites.  Compromise of one website can very quickly lead to multiple other websites falling like dominoes.  The damage done to consumer confidence and brands of consumer-facing businesses is too high to measure.

Passwords are not going away any time soon.  They are convenient and they are everywhere.  Consumer websites will continue to use passwords for a long time to come although we will try as an industry to foster adoption of other stronger authentication methods.  We have to solve the problem of unprotected passwords decisively and immediately.

At RSA, we have a legacy of innovation in authentication including PKI, multi-factor authentication techniques and layered risk-based authentication.  We continue to innovate in those fields but we felt it necessary to take a step back and deliver a strong solution for protecting stored passwords.  This is why we announced RSA Distributed Credential Protection last month at RSA Conference in London.  This is a product developed at RSA based on patented innovation from cryptographers at RSA Labs.   The technology behind the product employs the proven methods of threshold cryptography but applies it in practical ways to essentially split passwords into multiple random pieces stored on secure servers.   The key innovation is that passwords can be authenticated at runtime by the secure servers without any need for passwords to be reassembled. 

With this simple solution, websites will be able to split their passwords across multiple locations and security domains.  An attacker would have to compromise and gain access to all servers to gain access to the passwords. With proper separation of security domains and networks, this would be very difficult.  We make it even harder by offering the option to periodically randomize the stored password pieces again to further reduce the window of time in which the attack has to be performed. 

This simple but powerful technique would strengthen security where it really matters – at its foundation – where the passwords are stored.  Ultimately, the goal is to stay one step ahead of the attackers.  WithRSADistributed Credential Protection, we can raise the cost of attack exponentially.  

There is no better alternative to a layered defense.  We must secure both the ‘front door’ (multi-factor and risk-based authentication, fraud detection, application firewalls) and the ‘back door’ (stored passwords, privileged users/insiders, software security).    As an industry, we have spent disproportionate amount of our time on the front door.  With RSA Distributed Credential Protection, we hope to close the back door to the passwords and keep it shut tight! 

***This blog was contributed to the Identity and Data Protection Beat by Nirav Mehta.***

Leave a Reply