Posted by SecExtra on April 16th, 2008

Password security is often seen as something of an oxy moron. We regularly hear of how easy they can be to crack and it’s now common for sites to ‘rank’ how secure your chosen password is. But the password is still a highly effective means of authentication. Even a lower case-only, five character password takes 65,780 guesses to guarantee finding the correct moniker. A strong password of eight characters including letters, numbers and other characters (!”£$% etc) may take upwards of 6 trillion combinations.

Eager to replace your humble password are the new kids on the block: biometric, token and smartcard technologies. These technologies have been around for a while, and have all fallen foul of early-development security weaknesses and vulnerabilities. They are maturing, but they are still no substitute for a good username and password. Determined attackers, careless users, and under-informed IT staff still present a very real threat to these authentication systems.

Tokens undoubtedly have their benefits. Hardware keyloggers and the installation of keylogging software is one route attackers can use to steal passwords. Evidence suggests the Sumitomo Mitsui hack back in 2005 was facilitated by keyloggers placed by hackers posing as office cleaning staff. Token based authentication renders keylogging useless thanks to the random series of digits they generate. That said, there are still routes to bypass multi factor authentication. And, although tokens do solve the keylogging problem, they aren’t the panacea vendors would have you believe. Keylogging usually involves software, which the user would inadvertently install. If the user is coerced into doing this, they’re just as likely to fall victim to a session stealing attack, rendering the token pointless. Tokens also carry a high cost, to purchase, implement, support and replace when lost.

Passwords, when done well, are almost as good which is why a belt and braces approach is best. The password offers greater flexibility, autonomy and control. Token and smartcard technologies are far more rigid security devices, making it more difficult to introduce change. Ask yourself how easy is it to provide a replacement token compared to provisioning a new password, for example? And because tokens and smartcards are physical objects, they are easily misplaced or lost. On more than one occasion we have managed to ‘blag’ a token from an organisation and use it to access private data.

Security is a process, not a device, and tokens are not a silver bullet solution.

This item was kindly written for us by Ken Munro, Managing Director, SecureTest