Avast_Blog_ViewPoints: The Authentication Puzzle

[harlan4096]

Producing a secure authentication process that keeps users happy is easier said than done, but it's necessary in order to keep them safe online.

Controlling access is the basis of all security. The right people should be allowed in, and the wrong people kept out. This is done by confirming – or authenticating – the identity of the person seeking access, and then checking that the person is authorized to enter.
 
Authentication is normally achieved by the presentation of a User ID (usually the user’s email address) to identify the person, and a secret password known only to that person to confirm the identity.

But there are huge problems with this process. Fundamentally, it does not authenticate the person; if a criminal acquires and uses the person’s User ID and password, the criminal is automatically authorized to gain access. So, strictly speaking, a password does not authenticate the user, it simply authorizes a device regardless of who is using it.

This basic weakness in password-based authentication has become a continuing disaster caused by the sheer volume of stolen IDs and passwords available to criminals. A race is now on to find or develop a more secure and efficient form of user authentication. We’ll look at some of the options, but will start with an examination of how and why passwords have failed us.

Passwords

Too many, too weak

An analysis by LastPass, published in November 2017, “found the average employee using LastPass is managing 191 passwords. Not 10, not 50 – an average of 191.” It is not realistic to expect users to remember this many passwords or to keep their reminders secure; so, they use and reuse simple passwords. Simple passwords that are most easily remembered are the most common and the most easily hacked. Compare Avast’s list of the 10 worst passwords with the NCSC’s list of the most frequently used passwords among breach victims in 2019, as well as a list of the most used passwords in 2019 from SplashData.
Avast offers advice on how to create a strong password, and also provides a random strong password generator (example: ScuXaiZpdJkjFAb). Even if you do not use the generator, it is worth checking just to see what a strong password looks like – but now imagine having to remember more than 100 of these.

Reusing passwords

Users frequently use the same password across multiple different online accounts to reduce the number they need to remember. This is known as password reuse. It means that if hackers get hold of one password, they have access to all the other accounts that use the same password. A 2018 survey by LastPass found that 59% of users admit to reusing passwords out of fear of forgetting them.Password theft and use by criminals A password is only a problem if used to authenticate an unauthorized person; ie, a criminal. This begs the question, how do criminals get the passwords; and the answer is, ‘all too easily’. Millions are stolen from online services and vendors every week – and there are now billions of passwords for sale or free on the dark web. (Check here to see if yours is known to be among them.)

These passwords should, and usually are, stored by vendors in a form of encryption known as ‘hashing’. Hashing produces a unique standard-length garbled output that cannot be reversed back to the original. However, criminals have vast tables of pre-computed hash values and the sources (passwords) that produce them. By comparing the stolen hash value with these tables, they can immediately find the source password; and of course, the common and simple passwords are checked first. Cracked! To the tune of hundreds per second.

The second common method of gathering passwords is via phishing. Here the user is socially engineered into handing over usernames and passwords (or full bank details) to the criminal via a false website. These passwords do not need to be cracked because the user delivers them unencrypted.

Either way, the criminal has access to vast troves of username/password pairings. In many cases – hopefully – the user has been made aware that the password was stolen from XYZ.com and has changed or been forced to change it on the XYZ account. However, numerous studies show that users do not often change that password for every other account where it has been reused.

Here the criminals will use a process known as ‘credential stuffing’. They will go to a target website and use automated scripts to test the log-in process with their store of ID/passwords. They do this over a period of time with varying degrees of sophistication to avoid being detected. Most attempts will fail, and the script moves on to the next one and repeats the process until one succeeds. They succeed frequently enough for it to be a serious problem.
...

Continue Reading