HeartBleed and Passwords

Once more the evil of passwords is demonstrated. This time it’s the HeartBleed bug that can expose chunks of data known by a web server to hackers. Passwords – and their ability to gain access to anything they protect – are the most obvious target.

Technical aside: for those of you that don’t have the time to read the cert advisory (https://www.us-cert.gov/ncas/alerts/TA14-098A), here is a summary. The current version of the security library used by many web servers (OpenSSL) has a flaw that allows an attacker to send an information request (TLS heartbeat) to a server that reads way more data than it should. The hacker says how many bytes he wants to read, and the server forgets to check if the requested length can reach into private areas of the server. The data that the hacker gets is stuff that was ‘on the servers mind’ at the time. It’s hard to predict what the data will be but there is a very high likelihood that it will be passwords—because that’s an open invitation to go identity fishing.

So, back to the evil of passwords. Centrify has long said that passwords are a bad thing. Why? Well they are hard to use and maintain as anybody who uses more than a few websites knows. A user is constantly struggling with the balance of easy to remember vs. secure. “Password1” is easy to remember but it can also be easily guessed. This latest attack demonstrates another weakness – passwords are easy to steal due to bugs or bad practices on the server side. And once a hacker gets your password, as far as that website is concerned, that hacker is you.

So what are the alternatives to passwords? We encourage several.

First is using more modern ways of conveying identity to a server. SAML is the most common one. This allows you to log on to a website without a password, instead using a system that knows you who are and generates a one-off message, or token, that identifies you and sends it to the server. We call this ‘zero sign-on’ because of the frictionless user experience. The user is instantly connected, as if by magic, to the service. The fact that it’s more secure is an added bonus. However, zero sign-on does require that the website to support the SAML technology. Centrify has been working with major players in the industry to ensure wide adoption of it.

Second is the use of multi-factor authentication. In this case, even though the website uses passwords, an additional layer of security is added by making you do something extra. For example Centrify will call your phone and ask you to confirm that you are logging on. Or, if your phone uses our mobile security suite, you must press a button on the phone during log in to a website. We will do this if the login looks suspicious—i.e., it’s coming from a location that we have not seen before, such as outside the U.S.

Using these tools can reduce or remove the risks associated with passwords. Hopefully there will come a time when a bug like this one will hardly be news: “Grampa, what’s a password?”