Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Passwords

Passwords Are Useless, Outdated and a Security Risk - Cem Paya

Larry Dignan finds no argument with Google's Cem Paya, who  made the "passwords are useless, outdated and a security risk" comment at Wharton's Information Security Best Practices conference.

So why are passwords still a primary form of security? According to Dignan, Paya offered the following reasons:

  • There's no business model for issuing IDs to consumers.
  • Limiting user choice may annoy people. 
  • Service providers can't rely on third parties to manage identities-if that third party screws up it's your problem.
  • Strong authentication has to be mandatory, but mandating an emerging technology risks losing customers.
  • An opt-in policy can do harm to customer satisfaction problems. What happens when you need a driver for your USB token?   



Coordinating Account Revocation When Employees Are Terminated

Information Week (Account and Identity Mismanagement) comments on a frequently occuring theme - failure to revoke account privileges before an employee is terminated. This time it is with regard to the Fannie Mae contractor who introduced a malicious script to their servers.


Big Money Lawsuits Over Account Sharing, Password Violations

Jordan Weissmann writes in Legal Times how lending user identification to enable others to share your accounts can prove very costly. Online subscription services are using revenue recovery solutions to  monitor user accounts for fraudulent use and license violations. In the case described, one online service provider is using copyright law to seek "enhanced damages," instead of seeking judgement on subscription fees only. The defendents (those who used the service, as well as those who shared the account) are being accused of illegally distributing content. This raises the cost from a mere $5000 to cover fees, to $150,000 per  database that was accessed.


Twitter Failed To Account For Basic Security Vulnerabilities

It is a basic premise in security, prevent rather than react. This was reinforced again recently with the difficulties encountered by Twitter (Infoweek: Twitter Hack Made Possible By Weak Password ). Twitter is a popular, award winning service, that has been around since 2006. It has raised over $22 million but failed to address very basic security vulnerabilities. 

 "According to a report filed by Kim Zetter of Wired News, an 18-year-old hacker calling himself GMZ gained access to the account of a Twitter employee on Monday using a dictionary attack program that he created. Because the Twitter employee's account had access to administrative tools, GMZ was able to access any Twitter member's account by resetting the password."

Several rookie mistakes here. First, having your administrator use the same web application that users use to manage their accounts. The administrator systems should have been a separate server and application. Second, it is sloppy password management to allow a common word as your password. Finally, and most importantly, allowing unlimited login attempts. This is the core issue that allowed the hacker as many chances as they needed to attack the login system. Who doesn’t use a lockout feature to limit the number of login attempts in 2009? 


Strong Passwords Prevent Downadup Virus

A serious new sleeper virus that exploits Microsoft Windows is working its way through corporate networks. According to Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "the best way to prevent the virus is to "get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix."

These of course are not the only options. Given the fact that most organizations have difficulty managing password policies and enforcing "strong" passwords, a more practical option would be to deploy an authentication platform using multiple factors such as keyboard biometrics, geospatial metrics, system parameters, and reflective thinking. Some key factors in considering this type of solution are:

  1. Platform Independence (Easy plugability into exisiting application environments)
  2. Database Flexibility (No heavy lifting if you need to change database vendors)
  3. Easy Integration and Configuration
  4. Open Standards (industry standards w/ built-in WS-Security authentication and encryption mechanisms)
  5. End-To-End Security
  6. Audit and Transaction Logging
  7. Great Administrative Tools (easily manage system and users )


Page 4 of 5