Security has been a priority for companies for many years
now and with so many high profile companies being hacked, it's no wonder. With
brute force, dictionary and rainbow table attacks the amount of time it takes
to crack a password is frighteningly quick. This guide discusses some of the
methods to crack and what can be done to protect your systems against security
threats.
How is the hacking done?
With massive parallel general purpose graphics processing
password cracking and rainbow tables, it's possible for hackers to produce more
than 500,00,000 passwords per second, even with low end hardware. Depending on
the software, rainbow tables can be used to crack 14 character alphanumeric
passwords in about 160 seconds. Faster than how long my daughter takes to
unlock my iPhone pass code!
Rainbow tables achieve this by comparing a password database
to a table of all possible encryption keys. This requires a large amount of
memory, and memory is cheap. With hardware improving a password doesn't stand a
chance. Over and above these techniques social engineering still remains a big
threat, all the encryption and strong passwords in the world don't mean a thing
when the user gives out their password. Phishing tactics are getting better and
are very effective, with false emails and forged websites they trick an
alarming amount of people into giving up their passwords.
What are the options?
Basically it boils down to single factor or
multi-factor/two-factor authentication (2FA). Single factor authentication
secures a system through only one category of credentials, for example a login
and a password. 2FA is where a user's credentials are made up of two independent
factors.
Single Factor
There are challenges with attempting to secure your system
with a password. The most common one being that users either don't understand
how to make a strong and memorable password or underestimate the need for
security.
The extra rules that are necessary to make passwords strong
often result in users forgetting them or having problems which results in
needing password resets, which often rely on help desks (see costs). Single
factor does have its advantages though, it's cost-effective, easier to manage
and less things can go wrong.
There are some things that can be done in order to make it
more effective though, namely:
- Passwords need to be long enough (minimum of 8 characters), include a mixture of letters, numbers and be case-sensitive. A password meter is recommended and has been proven to help.
- Passwords could be partially inputted, for example character 3, 5 & 7 of the password
- Passwords should be stored in the database in an encrypted format and then the software can verify them via a decryption key
- Where possible the login and password can be locked down by 1 or more IP addresses (although that effectively becomes 2FA)
- Users need to be educated on how to protect themselves and their passwords
2FA
As mentioned before, 2FA is where a users credentials are made up of
two independent factors, such as:
- Something that the user knows (PIN, password, questions, etc...)
- Something that the user possesses (key fob token, mobile phone, smartcard, etc...)
- Biometric data (fingerprint, iris, voiceprint, etc...)
Obviously some of the above options are going to be more
suitable than others and there is a cost implication with each of these. I
would like to briefly discuss the more popular options in order to give a
better understanding and also because it is unlikely that a company will
protect their CRM system with an iris scan. Horses for courses.
Hardware tokens are the most prevalent, most commonly
implemented with a user being given a key fob that is combined with a password.
The key fob displays a pseudo-random number that changes periodically and the user
inputs this number to prove that they have the token. The server that is
authenticating the user must also have a copy of the each key fob's 'seed
record', the algorithm used and the correct time and then in turn can
authenticate the user. The key fob itself contains this algorithm and the 'seed
record' and generates the number that is verified by the server. There are
different options to the key fob such as USB stick based solutions, for example
YubiKey, which
is being used Google, Facebook and the US Department of Defense. With such high
profile customers and a cost starting from $18 per user it is understandable
why it is so popular.
Software tokens are on the rise, the key fob functionality
has been replicated for the Smartphone and been in use since the year 2000. The
technology is exactly the same as that in use with the hardware version,
however instead of needing an additional fob an app on the Smartphone is used. Different
software apps are available for smartphone's as well, products like Toopher can verify where the user (or their
Smartphone) is physically located and the first time a user tries to login from
a new location, they must be given permission to do so via the app. The pricing
starts at $1 per month per user.
Another effective way to authenticate a user with the aid of
their mobile phone is by sending them a code via text message, this code would
change with every request and would expire. This is a relatively simple and cost-effective
solution, with companies providing text message capabilities from a couple of
pence for each message.
Parting Thoughts
There are many solutions to deal with an ever-increasing challenge that
we all have to address in one manner or another. You don't need a machine gun
to kill a mosquito though, don't know if that is a saying, it should be, but
taking into account the various factors that influence your security
requirements is key, so to speak.
The factors would be how sensitive the information is, what would be
the repercussions if the system was hacked (customer confidence, regulations,
etc...), the user particulars (number of, location, etc...) and costs.
George Toursoulopoulos is a technology specialist and CEO of Synetec, one
of the UK’s leading providers of bespoke software solutions.
