Everyone hates passwords. Cybersecurity practitioners hate them because users choose weak and easy-to-guess passwords, reuse them across sites and applications, and share them with friends/coworkers/family members. Plus, adversaries can easily social engineer passwords out of account holders, causing problems for the security team. Users hate passwords because having to come up with and remember hundreds of them (which is now practically a necessity for everyday life) is problematic; users’ office IT policies might enforce annoying requirements (e.g., passwords must be changed every 30 days); every different site or app mandates different password requirements (e.g., “maximum of 12 characters,” “no special characters allowed”); and because though security pros drone on about the necessity of strong, unique passwords, consumers watch as their accounts get compromised through the providers they rely on—even if they’ve abided by the provider’s password requirements.
Passwords have been around for centuries. They have been adapted for our digital world, but there is nothing new about passwords, and nothing new about how easy they are to compromise (exhibit 1: “Passwords for Chocolate”). However, while it takes a crafty individual to spoof another’s physical identity offline, no one on the internet knows if you’re a dog (You know what I mean…). Because digital identities are trivial to find and mimic (for a lot of us, our “identity” is our username, which often is our email address, which frequently includes at least part of our legal name), account holders need both identification and verification to access their accounts. This means (in this day and age, at least) the use of passwords.
To address the too-many-passwords problem and provide more convenience to users, various browsers have rolled out password storage features, A.K.A., that annoying pop-up that appears when you type a password into a form on Chrome, Safari, Opera, or the like. Though the browser providers are well-intentioned, the truth is that browser password storage is a convenience feature, not a security feature. As such, the storage mechanisms in most browsers were not designed to securely handle passwords, says Paul Asadoorian, Founder and CEO of Security Weekly Productions. This isn’t a slight on those developers, he says. The goal of the providers wasn’t to create a security tool; it was to attract more users.
Managing passwords ≠ secure password management
Unfortunately, the objective of the tool has been misconstrued by consumers and some security pros alike, leaving a false sense of security. Adversaries have used this to their advantage. In 2016, Opera confirmed a breach against Opera sync, its password-saving tool, and other browser vulnerabilities have been widely reported. Further, Asadoorian adds, utilities to unlock browser password vaults can be found and purchased online. They’re the same utilities account holders can use if their browser login information is lost or misplaced. One backdoor in a product leaves the entire product insecure. Yet, many people still use browser password vaults to store the passwords that are meant to protect their accounts.
The vault, itself, is therefore untrustworthy, but there’s another concerning element that is often overlooked, according to Asadoorian: “All websites are run on a browser, and they’re all executing code from who-knows-where. The browser is essentially executing code from every site you visit.” Websites need to execute code to run, and if code is being executed, the possibility of exploiting that code exists. Though browser security has improved over the years, malicious content is abundant. One piece of malware or an infected link/advertisement on the computer of a person who uses browser password storage will allow an attacker the grab the entire password store.
Choose your tool wisely
Asadoorian says that until such time that all sites offer (non-SMS based) two-factor authentication, browser password vaults should not be treated as a security tool. Regrettably, though, security pros might feel that directing users to these vaults is better than having them use (and reuse) “Password1” or “January2018” as account verification. It’s a pick-your-battle situation. However, as most security folks know, there are far better options. Commercial password managers are a great option because most of the big names (LastPass, Dashlane, 1Password, Keeper, etc.) offer free versions that are centered around all device types—meaning users can set up one account that works across their personal computer, work computer, tablet, and mobile phone. Commercial password managers are encrypted and allow the account holder to apply strong passwords and 2FA for every site. For a small fee, users can upgrade to premium packages and receive additional security features like support for physical tokens and multi-factor options.
Until such time that all sites offer (non-SMS based) two-factor authentication, browser password vaults should not be treated as a security tool. @securityweekly #InfoSecInsider #infosec Click to Tweet
Most of the commercial password managers have also introduced business versions which allow for enterprise administrative controls, single sign-on, group sharing, segregation of personal vs. business accounts, and directory integration. How to convince the executive team to budget for an enterprise-wide password manager subscription is beyond the scope of this article, but it’s a conversation that should be in consideration for every security team (if it hasn’t been addressed already).
The future of secure authentication
As it stands, the password advice we have today is pretty weak. Asadoorian asserts that the industry, “will have to invent new methods of validating users using biometric data combined with additional factors such as behavioral data.” He points to NoPassword, a startup company that has impressed him with its innovative approach to identification and verification. Enterprise security practitioners, too, are thinking outside-the-box when it comes to passwords. Jim Routh, CISO at Aetna, has removed traditional passwords and uses behavioral-based authenticators that are powered by machine learning. Amélie Koran, Deputy CIO at the US Department of Health and Human Services, Office of the Inspector General, says that the organization is “working on wrapping up passwordless access to [their] IT environment—currently all desktops are 2FA (PIV cards). We are working on finalizing our derived credentials to enable the same on mobile devices.”
Though the battle to change user behavior and adopt new methods of authenticating is long and hard, it’s a fight worth fighting. At present, allowing employees to use browser password storage introduces unnecessary risks. The good news is that if an employee has already taken the step to store their passwords in the browser, they’re that much closer to becoming comfortable with password managers. If you’ve already moved to more secure authentication, congratulations! We’d love to hear how you’re doing it.
Interested in learning how to defend your enterprise with free and open source tools? Asadoorian will be presenting a session at InfoSec World 2018 in Orlando, Florida, March 19th-21st.