In the first weeks of June 2012 both LinkedIn and eHarmony were hit with a security breach exposing as many as 8 million passwords. There is some irony in that one site contains professional and business information, while the other holds intimate personal information. Now whoever said business and love can’t mix?
All humour aside, LinkedIn was breached by losing a database that contained hashed passwords. In theory a hash is a one way encryption of data. This encryption is done via a mathematical process. Two of the most common hash formats are MD5 and SHA1, and when they were developed, they were one-way mathematical functions. However with the advent of faster computers, and with sheer effort, the algorithms have been compromised, and it is now possible to decrypt a password. It really doesn’t matter what algorithm is used: with enough time, and enough effort, almost any hash function can be decrypted.
While this is just the most recent security breach to hit the news, it does call in to question how should cloud and internet based services manage the security of your password and your information? The obvious answer is “follow known best practices”, but that is no longer enough. What is a “best practice” today can be obsolete and insecure tomorrow. The pace of security breaches is such that no single approach is enough. Organizations and end-users must learn to look at security with a holistic approach where both parties play a part in ensuring that security is not compromised. For the service providers, they must be continually improving their security practices. For end-users, it means choosing better passwords.
However practices and passwords are enough. Practices and passwords are just one layer. What needs to be done is add in layers of extra security measures such as intrusion detection, regular auditing, security reviews and host of other risk mitigations. SANs calls such measures as “Defense in Depth”. When put together, practices, passwords, and defense in depth, require that everyone accepts responsibility for ensuring security of the system. The challenge that arises is getting everyone working in harmony. This just isn’t an easy task.
If we take one step back, we can see that authentication is the core challenge. Authentication is proving who you are. In the simplest of terms, authentication is typically based on one of three following principles:
- Something you know (password)
- Something you have (token)
- Something you are (biometric).
For at least 80% of all end-users, “something you know” is the most common form of authentication. A simple username and password is the only security for most home and small businesses. A simple username and password is the only security for most online services ranging from email, to social networking, to online storage solutions. The other 20%, consisting of people working for government or large organizations are now using “two factor authentication”. If security is to be taken seriously, two factor authentication has to become the rule as opposed to the exception.
Implementing two factor authentication is typically done through the use of a small token (most often called a key-fob) about the size of a small USB drive. The token has a small LCD screen that displays a set of numbers that change approximately every 10 seconds. When an end-user logs in to the system, they must use their username and password, and enter the unique number on the token. The end-users must authenticate with something they know – their username and password – as well as something they have – their token.
If LinkedIn and eHarmony were using two-factor authentication the compromised hash files would be useless without an accompanying second factor.
There was a point in the past where two-factor authentication was complex and expensive. That is changing. There are now two-factor authentication systems that can text a second PIN making a cell/smartphone act in a similar fashion to a traditional token. There are also systems where a specialized USB drive with a secure certificate. The USB drive becomes the token. Less common is the use of a biometric device such as a fingerprint reader: these are now becoming very common on business class notebooks and workstations.
So getting back to the title, “Who can you trust?” the answer is that trust is a precious commodity. You can trust yourself, and you may put faith in a service provider, but trust needs to be protected and not given freely. If you work with sensitive or classified data or if you want to ensure the security of a specific account, two-factor authentication is at this time your best choice.
Given the number of security breaches more and more online services will start using two factor authentication. Google has already started down that path. If you sign up for a Gmail account, you now need to provide a cell phone number to receive a text message containing a one-time PIN. That PIN is required to active the new Gmail account.
So Google may be taking the first steps, but others will follow. The simple reality is that two-factor authentication is no longer an option for a large enterprise. Truly, if security is important, even SMB’s need to give serious consideration to adopting two-factor authentication.
Two-factor authentication used to be expensive and complex. Lexcom is changing that. Using ScorpianSoft’s new AuthAnvil, two-factor authentication is secure, simple, and cost-effective. What costs would your organization face if all of its passwords were made public? That is a difficult amount to calculate. What would it cost to implement AuthAnvil? That’s easy – contact Lexcom and we would be very happy to provide an assessment and a quote.
Give it some time: within a few years, two-factor authentication will most likely become the rule as opposed to the exception.
For more information have a look at: