To permit a user to access a resource, you need to be sure the user is as claimed. This is known as authentication.
There are three general means for authenticating a user's identity:
- through something the user knows (e.g., password, PIN, answers to questions)
- through something the user has, known as a token (e.g., smart card, ATM card)
- through biometrics inherent to the user (biological data, e.g., fingerprints, retina, iris, face, typing rhythm)
Password-based authentication is most common technique because it is the cheapest to implement since it doesn't require extra hardware. But password-based authentication can be susceptible to a variety of attacks.
The National Institute of Standards and Technology (NIST) provides the standards for passwords. The NIST framework for secure passwords is updated to stay current, including the following recommendations (NIST, 2017):
- Compare passwords to dictionaries and commonly used passwords.
- Screening user passwords against lists of commonly used or compromised passwords can identify vulnerabilities and threats from dictionary attacks.
- Eliminate or reduce complexity rules for passwords.
- The standards no longer emphasize the need for complexity via passwords containing mixtures of uppercase letters, symbols, and numbers.
- Allow all printable characters, including spaces.
- Don't base password expiration on time password has been in use.
- This is the biggest change from earlier guidelines for password protection and is based on studies showing that frequent changes in passwords at the enterprise level are counterproductive to good security practices.
- Increase the maximum password length to 64 characters.
- This change supports the use of passphrases.
- Enable copy and paste functionality in password fields.
- This change allows for the use of password managers.
There are many reasons why many passwords are weak. Most users have multiple passwords they must keep track of, and inertia naturally can lead to weak passwords. Some users aren't even aware that someone might be able to guess a password. In addition, consider the unintended sharing of passwords (e.g., passwords on sticky notes) or one-time sharing that can lead to vulnerabilities. Some organizations lack policies, procedures, and enforcement tools regarding passwords. Also, many users are not even aware of a company’s password policies and why they matter.
Below are some common methods of attack against passwords.
Attacks Against Passwords
Click on each method in the left column to get more information about weaknesses.
Password Managers and Recovery
Businesses and enterprises use password managers to maintain large amounts of account information and passwords. A password manager is a software application used to store user passwords in an encrypted format and manage them. The master file of log-ins and passwords is secured and only accessible via a master password, usually assigned to the system administrator. The implementation of password managers allows for the use of strong passwords, and since the encrypted information can be stored in cloud storage, these programs add security and portability for mobile devices and remote workers.
Vulnerabilities in Password Management Features
There are many options for password managers, which vary based on how they encrypt data, how data is stored, and other features. Additional features may include auto-fill forms and password generators. Common types of password managers include web-based, cloud-based, portable, and desktop. The choice of the ideal password manager needs to account for enterprise needs for efficiency and security.
Password recovery is another important tool that offers quick mitigation to common problems with lost or forgotten passwords, without the need for to lock and unlock accounts and reset passwords.
Policies and Training
Password policies and procedures, when communicated and enforced, can reduce risks and increase web and system security. Strong, consistently implemented password policies and procedures are not just a good idea to prevent security breaches—they are the minimum standard for security that an organization should implement and continually maintain.
Organizations should provide extensive employee training about password protection, security hazards, and potential company exposure, as well as penalties for employees violating company policies and procedures. The policy and procedures should apply to even web developers, server administrators, and others who might get comfortable and not regularly change passwords with high accessibility. These precautions alone might not stop the cyber attackers from storming the gates, but they should reduce the chances of them breaking through.
Smart cards are tokens that have a lot of intelligence built into them. These are used in highly sensitive places such as Department of Defense (DoD) and DoD contractor sites. Smart cards can also perform authentication locally, which avoids many of the drawbacks of remote authentication such as vulnerability to eavesdropping and replay attacks. Tokens can, however, be lost or stolen, denying access when the user needs it. Tokens also require additional equipment, thus increasing the cost.
Biometrics include fingerprints, retinal or iris scans, facial recognition, and vocal recordings. All biometric authentication hinges on an accurate measure of some distinct and individual trait of the user that can be stored in a tamperproof but accessible system. Like tokens, biometrics have higher security strengths than passwords, but the costs of the technology and incompatibility with most legacy applications place a financial burden on companies.
Biometrics-based authentication is broken into two types: static and dynamic biometrics verification. Voice patterns, typing rhythm, and breathing are examples of dynamic biometrics, while fingerprint, retina, face, and iris biometrics are static. Of all the biometric technologies, fingerprints are the most popular, especially in law enforcement and criminal justice. Fingerprint verification is available for personal verification on mobile devices as well (e.g., laptops, peripherals, flash drives).
So why aren't these methods in more common use? Besides the costs, some people are averse to allowing the taking of biometric patterns, and no biometrics can be used with 100 percent of the population. Fingerprints are subject to false results due to injuries, burns, dry skin and thinning of fingerprints as people age. Voice authentication assumes a person will not be ill or have issues affecting the voice, and for people who cannot speak, it is not an option. Eye scans require an extremely close view and can easily be thrown off by eyewear (glasses or contacts) or medication and even fooled by photographs. Similarly, facial recognition struggles with faces presented at different angles, with different expressions, or changes related to age and weight.
Another challenge for biometric authentication is the number of false positives and false negatives a biometric technology may generate. The false responses are the result of recognition error in comparing the stored sample and the person showing up at the biometric device. The device may think the person matches a sample it has retrieved from storage exactly, when this is not the case. That is a false positive or false match, where the authentication device believes the stored sample and the presented sample represent the same person. A false negative or false nonmatch occurs when the device determines the sample in storage and the biometric sample of the person tested do not represent the same person, when it actually does.
There are several ways that authentication techniques can be combined for additional security. Authentication that include multiple levels is called multifactor. For example, two-factor authentication might include a token and a password. A simple version of this is a code that is sent to the user's cell phone when logging in with a password. The user needs to enter both the password and the code for the authentication to succeed. The cell phone is the token employed.
Kerberos is a client-server protocol for authentication that allows for both the user and the server to verify the other party's identity over nonsecure connections. A symmetric key based on the user password provides a secure mechanism for the session key to be used by the client and server. On the server side, a Ticket Granting Service (TGS) issues a security token, called a Ticket-Granting-Ticket (TGT), so that the client can access services. Kerberos has proven resistant to eavesdropping and replay attacks.
Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that also is based on a shared secret. Unlike Kerberos, CHAP does not rely on sending a secret between parties; validation is accomplished when the identity-verifying party (the authenticator) sends a challenge message to the access-requesting party, who responds using a one-way hash function. This hash incorporates the inputs from the challenge and the shared secret, and the authenticator has the same one-way hash to compare against, providing a pass/fail check (connection).
Dictionary attack. (n.d.). In Wikipedia. Retrieved March 6, 2020, from https://en.wikipedia.org/wiki/Dictionary_attack
National Institute of Standards and Technology (NIST). (2017). Digital identity guidelines: NIST Special Publication 800-63. https://pages.nist.gov/800-63-3/