Home Tags Irresistible

Tag: Irresistible

Regular password changes make things worse

Security experts have been saying for decades that human weakness can trump the best technology. Apparently, it can also trump conventional wisdom. Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person's, or an organization's, security. Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, "time to rethink mandatory password changes." She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point. But the message was not new -- she has been preaching it for some time.

Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago. She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature. She cited research suggesting that, "users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one. Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a "3" for an "e," or simply adding a couple of letters or numbers to the end of the previous password. Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries.

A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds -- and that was with 2009 technology. The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, "relatively minor at best, and questionable in light of overall costs," for the same reason the UNC researchers found. "(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses," they wrote. And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked "Retired" this past April), said password expiration policies frequently frustrate users, who then, "tend to choose weak passwords and use the same few passwords for many accounts." Not surprisingly, attackers are very much aware of these vulnerabilities.

The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory. All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago.

The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers. But even with increasing interest and acceptance of those options, Brett McDowell, FIDO's executive director, has acknowledged that there will be a "long tail" for password use. And during that long transition, he and others say there are multiple ways to improve security that don't involve creating a new password every couple of months that is easier to crack than previous ones. Zach Lanier, director of research at Cylance, cites Apple's TouchID and Google's Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, "still around, and they're likely to be for a bit longer.
It's just that they're so ‘standard' for people and enterprises, and have been for so long, that it's really hard to make them completely disappear." In the interim, he said, organizations can improve their password security through a combination of employee training and, "actively testing their authentication mechanisms and auditing users' passwords -- cracking them -- whether it's through internal infosec teams or external firms.
In my opinion, it should be both," he said. "This can give the organization a better idea of where things are broken, from people to technology." The users can be brought into this as well, he added, by, "making available the tools to enable, if not force, users to test the strength of their own passwords." McDowell agrees that education is, "a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks." But he said the "shared secret" authentication model is vulnerable to too many forms of attack -- not just social engineering -- hence the need to eliminate them as soon as possible. Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. "Current policies set the bar far too low for complexity in passwords and don't require multi-factor authentication, acknowledged as the best commonly available solution," he said. Lanier agreed. "There are some really awful organizations, sites or services that can't seem to move past the year 1998 with authentication," he said. "Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms." Pendergast said he sees the same thing. "There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules.

A surprising number of companies don't use these basic password reinforcement functions," he said. And, Lanier noted that, "password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note.

This at least reduces the risk that a person might serialize their password choices.

Certainly not a panacea, but for the average person, it's a great idea." Still, as McDowell noted, even rigorous passwords can't compensate for a person being fooled by a skilled attacker. "Many times, passwords are simply given away in a phishing or social engineering attack," he said. "I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing." All agree that the weaknesses of human nature mean it would be better to move beyond passwords.

But, as McDowell notes, human nature also requires that whatever replaces passwords must be, "easier to use than passwords alone. "User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation," he said. Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone. "At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker," he said. This story, "Regular password changes make things worse" was originally published by CSO.

Retailers and manufacturers missing out on billions of dollars in laptop...

Survey shows on average 71% of consumers in US and UK will buy new laptops every two years if offered innovative and irresistible guaranteed future value promotionsChertsey, Surrey, 22nd August 2016: On average 71% of consumers across the UK and USA will upgrade to a new laptop within two years if retailers guarantee them a rebate of 50 per cent on the original purchase price of their current model, according to a new survey of 1,000 consumers split between the two countries.

This could help reset the decline of the PC market due to longer upgrade cycles and mobile-device cannibalization as mentioned by Intel CEO Brian Krzanich at a recent investor conference.[1] Opia Survey Infographic The survey, conducted by polling firm Censuswide for risk-managed sales promotion expert Opia, reveals that 73% consumers in the US will upgrade if they are made such an offer, along with 69% in the UK. “Guaranteed future value (GFV) offers have huge potential to help retailers and manufacturers on both sides of the Atlantic bust out of ever-longer refresh cycles in the laptop market,” says Steve Gales, sales director at Opia. “With more than 17 million units shipped in the US in the last quarter of 2015 and an estimated nine million UK consumers obtaining a laptop or notebook in the year, the revenue boost from customers upgrading more often could be colossal.

The average US citizen, for example, spends $500 on a new laptop and if they do that every 2.5 years, instead of every five, retailers and manufacturers will see revenue rocket by more than $170bn in a five year period. “Many consumers are hanging on to laptops for five years or more, putting up with ever-poorer performance because they fear having to spend on a new device.

Although there are slight differences between the two countries, the survey shows that GFV can remove that fear, encouraging consumers to make new purchases more regularly.” The survey also reveals that 69% of consumers across the two countries view a new laptop as less expensive if the resale value is guaranteed to be 50% of what they paid for it, provided they upgrade within two years. “Since most respondents (59%) in the two countries have previously taken up some form of promotional offer to buy a laptop, they are already open to suggestion if the offer is compelling. Retailers who don’t act fast to implement closed loop upgrade promotions are subjecting themselves to ever-longer refresh cycles and lower revenues.” says Gales. The findings showed that in the US and UK, an average of 85% of consumers wait more than three years before buying a new laptop.
In the US, 69% said they did not buy a new PC or laptop because new models were too expensive and are waiting for the right offers compared with 63% in the UK. “These survey results demonstrate clearly how retailers and manufacturers failing to use risk-backed GFV promotional mechanisms are doing themselves out of a significant amount of business. One final example from the survey reveals 35% of US consumers and 30% of UK consumers said a 50% GFV offer could encourage them to buy a more expensive model when they come to upgrade”, concludes Gales. [1] http://www.fool.com/investing/2016/06/10/intel-corporation-ceo-brian-krzanich-explains-the.aspx -Ends- Notes to editorsOpia is an industry expert in risk managed sales promotions, with a proven track record in results-driven business and consumer campaigns for brand owners in the hi-tech, telecoms, FMCG, retail and automotive sectors.
Supported by a 24/7 customer service team working in 18 languages, Opia’s global reach enables it to offer multilingual redemption campaigns in over 60 countries, including EMEA, North and South America and Asia-Pacific. Opia is a subsidiary of media company Village Roadshow and has been an integral part of its Digital Division since 2015. Opia is compliant to the ISO 9001 quality management standard and the latest ISO 27001: 2013 standard for data security. For more information, please contact:Jen RookWhiteoaks PR+44 (0)1252 727313 ext. 276jenniferr@whiteoaks.co.uk

Killing the password: FIDO says long journey will be worth it

The FIDO (formerly Fast Identity Online) Alliance is out to kill the password. It wouldn't seem to be a tough sales job.

There is little debate among security experts that passwords are a lousy, obsolete form of authentication. The evidence is overwhelming. Most people in spite of exhortations to use long, complicated passwords, to change them at least monthly and to avoid using the same one for multiple sites, don't. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. Nick Bilogorskly, senior director of threat operations at Cyphort, noted in a recent blog post that there are now more than a billion accounts with credentials sold online. He compared them to hundreds of millions of keys capable of unlocking bank safe-deposit boxes, littering the ground. ALSO ON CSO: Sample password protection policy "All you need is to pick them up and find a match to open any box you would like," he wrote. "In fact, it is worse, because for most people, this same key is used to open their office, car, and house." And, of course, with automation, it is possible to try keys in millions of "locks" in seconds. Things are even worse in the health care industry, according to a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that medical staff efforts to circumvent passwords was "endemic -- to avoid any delay in using a device or getting access to supplies, they routinely wrote passwords on sticky notes. According to the report -- a portion of the headline is "You want my password or a dead patient?" -- medical staffers are just trying to do their work in the face of often onerous and irrational computer security rules." The solution to such a porous "security" standard is to get rid of it, according to FIDO.

But the Alliance, which describes itself as a "cross-industry consortia," has to do more than convince experts or even web content providers.
It has to convince users -- the ones who are familiar and comfortable with passwords and who can display irrational amounts of resistance to change. Gary McGraw, CTO, Cigital "Websites that are trying to get eyeballs can't really force their users to do anything," said Gary McGraw, CTO of Cigital. "Twitter has two-factor authentication (2FA) now, but you don't have to use it. You just should.

The most you can do is ask nicely -- otherwise it's an economic conflict of interest. Vishal Gupta, CEO of Seclore, said while he believes the masses will adopt a different form of authentication if it is faster and easier, still thinks it can't be forced, and will be "a long journey." "It's very similar to chip-and-pin cards vs. magnetic strip cards, and a lot of enterprises will have to come together to make this happen," he said. Indeed, even Brett McDowell, the Alliance's executive director, agrees that, "forcing web service providers to do anything is a non-starter." But he said FIDO, which now has nearly 250 member organizations, isn't trying to force anything.

The group's goal is to make it irresistible -- "to deliver a solution they (providers) will be eager to implement because it is in their self-interest to do so," he said. An authentication system that improves the user experience, he said "will sell itself to service providers." Brett McDowell, executive director, FIDO Alliance The user-experience pitch, on the FIDO website, certainly makes it look easy.

There are two possible methods: UAF (User Authentication Standard), simply requires the user to make a transaction request and then show a biometric, like a fingerprint. U2F (Universal Second Factor) requires a login and password on the local device, and the user then inserts a USB dongle and presses a button on it to complete the transaction. McDowell said the game-changing difference is that, unlike passwords, authentication credentials are, "always stored on -- and never leave -- the user's device.

An attacker would physically need the user's device in hand even to attempt an attack.

This doesn't scale, and is therefore not viable for financially-motivated attackers." Not to mention that, if effective, it eliminates the threat from those in other countries -- even those in the next town. The problem with passwords, he said, is not the passwords themselves but that they are "shared secrets" held by both individual users and on the servers of online providers where they can be -- and have been -- hacked, by the hundreds of millions.

And it gives the hacker, "passwords to use against other servers." McDowell contends that UAF and U2F are much faster and more convenient for users, since authenticating involves simply, "touching a sensor, looking at a camera, or wearing a wristband, etc.
It is definitely faster than passwords, and much faster and more convenient than traditional forms of two-factor authentication like one-time passwords (OTPs)." Of course, some experts note that there is an increasing risk of attackers figuring out ways to clone biometrics like fingerprints, voice or iris scans. "I don't want to supply a version of my iris to just anybody," McGraw said. "I've already given my fingerprint to U.S. government and they happily turned them over to the Chinese." McDowell acknowledges that biometrics can be spoofed -- what he called a "presentation attack." But he said the FIDO standard eliminates most of the risk for the same reason stated earlier -- the biometric information never leaves the user device. "A biometric spoof attack against a FIDO credential can only be attempted if the attacker has physical possession of the user's device," he said. "It cannot be performed by social engineering, phishing, or malware." Gupta agreed that this is likely to make attacks much more expensive, and will therefore improve security. "As long as new forms of authentication can make sure that the cost of performing a breach is higher than the value gained from the breach, we are safe," he said. Still, nobody thinks the password will disappear anytime soon. McDowell, bullish as he is on the FIDO standard, said he knows it will take significant time for it to become "standard." He noted that there are more than 200 FIDO Certified implementations on the market, which he said has, "surpassed all my expectations." The Alliance also announced last month that, "Microsoft will be integrating FIDO into Windows 10 for passwordless authentication," and that the Alliance is also, "working with the World Wide Web Consortium to standardize FIDO strong authentication across all web browsers and related web platform infrastructure." But McDowell acknowledged that, "there is definitely going to be a ‘long tail' for password use. While we are well on our way to seeing most of the applications and devices commonly used every day offering their users FIDO-enabled authentication, passwords will continue to be part of these systems for years to come." McGraw, while he is a fan of 2FA, and his firm requires it of its employees, said the reality is that, "there is no such thing as perfection.
It is always going to be an arms race." This story, "Killing the password: FIDO says long journey will be worth it" was originally published by CSO.