Will Yahoo breach finally get us past the password?
Last week’s Yahoo hack — the largest breach of user account data in history — has focussed attention once again on the password’s inherent vulnerabilities. And some cybersecurity experts say we might be nearing the point at which large numbers of consumers finally stop relying on them.
“I believe we are approaching a tipping point,” said Brett McDowell, executive director of the non-profit FIDO Alliance.
The FIDO alliance promotes two open standards that use hardware devices to either replace or supplement passwords. The device can be a USB keystick or a smartcard; a specially secured chip in a smartphone or tablet; or even a fingerprint reader or iris scanner attached to a laptop.
Boosters say that FIDO standards are finally overcoming the “chicken and egg” dilemma that has plagued so many security technologies.
Hashing, cracking and brute-forcing
The 500 million passwords stolen from Yahoo were encrypted — a mathematical transformation that turns the word into a string of meaningless data called a hash.
Security conscious websites never store passwords themselves — only hashes. When the user logs on, the password is encrypted the same way it was when the password was first entered and the website compares the hash of the password entered with the hash it has stored. If they match, it means the correct password was entered.
In theory hashing should protect stolen passwords, since it’s all but impossible to mathematically derive a plaintext password from a hash. But special “cracker” software can be used on stolen data in what’s called a “brute force” attack.
Most websites limit the number of attempts to log on — making to impossible to simply guess the password. But once the hashes have been stolen, there’s no limit to the number of guesses that can be made and cracker programs just keep producing hashes of possible passwords — guessing as many as hundreds of times a second — until they guess correctly and the hashes match.
Cracker software is typically programmed to guess commonly used passwords first, then go through the dictionary and lists of proper names, then try combinations of words or words and numbers. They can even be programmed to try all those guesses with zeros in the place of O’s, ones in the place of L’s and so on.
Yahoo said in its statement that most of its hashes were “salted,” meaning they’d been re-encrypted with the addition of a special term, making them harder to brute force. But even salted hashes can often be cracked given enough time and computing power — especially because users generally ignore advice not to use dictionary words or proper names in their passwords.
“The bottom line is, passwords can’t be secure,” McDowell told FedScoop. “It’s long past time that we replaced them with something that’s not vulnerable to phishing, social engineering or replay attacks.”
Phishing or social engineering involves tricking a user into giving up their password, for example on a fake website carefully designed to look like your bank’s real login page. Replay attacks rely on the fact that most users also ignore advice not to use the same password for multiple sites or accounts. That means if a hacker has the password for a user’s email account, they can try it on social media or even financial accounts, too.
For several years, Gmail, Facebook and many other large online service providers, following the lead of banks and other financial institutions, have offered additional security in the form of what amounts to a second password — a code-number or PIN that’s sent via SMS to the user’s mobile phone.
This is called a one-time password or OTP.
Yahoo itself offers a different approach, allowing users to ditch the password altogether in favor of an smartphone app. When they enter their login information, the app sends a notification to their phone. When they respond, the website logs them in on whatever device they are using.
Both of these approaches are examples of what’s called two factor authentication, or 2FA.
It’s hard to know how many users are taking advantage of 2FA because the large service providers generally don’t publish figures. One estimate suggested that as few as 4-6 percent of Gmail users employed 2FA.
“None of the large consumer email providers have been educating users [about 2FA] and giving them incentives to make the move,” explained John Pescatore, director of emerging security trends at the non-profit SANS Institute. “I’d like to see some portion of their ad revenue … be donated toward selling that message [about 2FA] to the eyeballs they reach,” he wrote in the institute’s daily newsletter.
“The problem is, even an OTP is still a password and it can be phished,” said McDowell.
Going back five or six years, several different varieties of malware — like the one dubbed Emmental in 2014 — have successfully tricked bank customers into logging into fake sites and giving over their OTP, which the hackers can then use to login to the real site.
Similar attacks are usable against in-app authentication, such as that used by Yahoo, said McDowell.
“Push notifications don’t mitigate one of the most critical vulnerabilities [of the password] … you can still phish or socially engineer an in-app notification,” he said.
FIDO-enabled devices are different, he said, because they employ asymmetric encryption requiring two keys — a public key held by the website and a private key “physically bound to the device.”
This is known as public key infrastructure, or PKI encryption.
The private key is stored on the specially secured chip, inside the smartphone, keystick or other hardware and never leaves. “The only way for an attacker to login as you is to get physical possession of the device,” said McDowell.
The chicken, the egg and the device
Nonetheless, FIDO devices have faced the classic “chicken and egg” dilemma — consumers don’t know about the extra security they provide and that lack of demand means device manufacturers and online service providers don’t offer it.
“Before we can get rid of the password, we have to give people an alternative,” acknowledged McDowell.
He said that once given that alternative, consumers would eagerly avail themselves of it. He referenced the newer model iPhones, which offer fingerprint login.
“How many iPhone users still unlock their phone with a PIN?” he asked.
“We’ll know we’re approaching the tipping point when device manufacturers start shipping large numbers of FIDO-enabled products … and those capabilities show up in the hands of consumers.”
Two developments last week will help test the truth of his argument — as major players rolled out FIDO-enabled products.
The latest Mac OS version, dubbed Sierra, offers native support for the YubiKey — a USB keystick using FIDO standards. Instead of unlocking their Mac, and the Keychain inside it, with a password, users can employ a YubiKey instead.
“There’s no need for any third-party software,” Yubico Vice President of Solutions Engineering Jerrod Chong told FedScoop. “It works out of the box.”
And Lenovo announced its new laptop, the Yoga 910 Convertible, would come with a fingerprint reader, made by Synaptics.
Nothing new there, except that, through a partnership with Paypal and the use of FIDO standards, users can employ the fingerprint reader to log on securely, not just to the laptop, but to their Paypal account as well.
“Today’s notebook and PC users want solutions that are safer and more convenient for online transactions,” said Godfrey Cheng, Synaptics’ vice president of marketing.
“FIDO has become the IT industry’s consensus standard for online identity authentication,” said McDowell.