Welcome to the blog of Andrew Tang, Security Practice Lead for MTI Technology. A Cyber Security professional in the UK, who currently holds EU GDPR Practitioner, CISSP, MCSE: Security and MCTS certifications.
Saturday, 25 June 2016
Is the character password finally dead? [Link - IT ProPortal]
Passwords have been an essential part of our lives for a long time now, ensuring all our personal details are locked safely away from prying eyes. But, as recent hacks such as Mark Zuckerberg’s social media accounts have shown us, they are not infallible or, in some cases, even that secure.
The Facebook founder’s hack is an interesting case study of the dangers simple passwords pose, especially for high-profile individuals. While numerous, complicated passwords are difficult to remember, a simplified password used across multiple platforms leaves them very vulnerable to being hacked.
So Mr Zuckerberg might just welcome Google’s recent announcement that it is developing a new log-in method for smartphones. Called the Trust API, this latest security method could see the typical character based password rendered obsolete and replaced by an algorithm that learns a user’s behaviour.
No more characters
This is a massive step forward for online security, replacing passwords with a ‘trust-based’ system that monitors the way a user typically uses a smartphone.
According to Google, it checks personal indicators such as how you type and swipe as well as your location to continually monitor that it is definitely you holding and using the device, which makes it much harder to break into a lost or stolen phone.
Behavioural technologies such as this have been in development for some time and are already used in sectors that handle extremely sensitive materials, such as financial services industry. The unique activities of a user – such as keyboard typing patterns – are mapped out by the system, which is then matched every time that user tries to access data before entry is allowed.
While this is a fantastic move towards ensuring we do not become a victim to hacks and keep confidential materials behind closed doors, it raises questions about emergency access.
Behavioural monitoring can be quite tricky for the user, especially as people’s usual habits change in times of high stress, such as in an emergency situation, which could result in users being locked out of devices at the moment they desperately need to get in.
The acceptance of Google’s Trust API will most likely be dependent on finding a way to solve this issue without compromising security.
A strong standard password is supposed to have at least 10 characters, made up of upper and lower case letters alongside numbers and symbols. Admin passwords are often even more complex.
With technology advancing at such a rate while simultaneously becoming cheaper, hackers can now harness more processors to crack even the toughest passwords.
This is why a two-way authentication process is so important. By backing up a standard character or pattern-based password with a unique, personal form of identification it becomes more difficult to be hacked.
This will be fundamental for admin systems, as once they are cracked open, hackers are free to take anything from a company’s electronic safe, including all the sensitive information stored there.
As the most frequently exploited attack surface, passwords assigned to local administrators should be the top priority for introducing a two-tiered security system.
Fight for your (admin) rights
Currently, introducing a password-based policy enforces something known as principle of least privileged. Essentially, this gives a user account only those privileges which are essential to their work.
This makes access to information dependent on fallible, character based passwords. Instead, businesses should introduce privilege control at the server and application level, which will enable IT departments to manage and control which applications run on endpoints and servers to prevent malicious applications from penetrating the system.
This is a very effective way to address the problem of password cracking, providing deeper defences against administrator hacks.
So while Google’s Trust API is only designed for smartphones at the moment, this could be the first step in wider usage, especially for enterprises who are most likely to be at target.
While this technology certainly ensures greater security, it isn’t the silver bullet needed for a perfect IT security system. For example, while it prevents strangers hacking a network, people are still able download a virus or transfer files outside the proper channels.
Due to the influence and involvement of Google, a tech giant with huge prestige, it’s likely people in the near future will come to see behavioural monitoring as the new normal, and businesses will have to take up the practice as the trend proliferates, or be left behind.