Twitter was a buzz again last week due to another security breach. In summary, a criminal claims to have obtained access to a Twitter administrator’s Twitter password by guessing the secret question to reset the administrator’s password on a Yahoo e-mail account. Twitter confirmed that the intruder gained access to information on ten accounts including those of some celebrities.
My question is this: How many passwords have to be compromised before we all finally come to the consensus that passwords are a really bad idea?
There are three ways to authenticate someone:
- Something they know (a password);
- Something they have (a physical device); and,
- Something they are (biometrics).
Each of these ‘three ways’ is called a factor. If you want to ensure that someone is who they say they are, simply use two of the above factors for a strong authentication. For example, have the person type in a password and something else, like insert a smart card or type in a 6 digit number that proves they have a specific peice of hardware with them.
The problem with passwords is threefold:
- Passwords alone are single factor authentication, and by definition that authentication is weak.
- We let users choose their own passwords, thereby increasing the likelihood that others can figure out the password.
- Since people forget passwords, we build mechanisms to let them find out their password or reset it.
In other words, we take a weak authentication mechanism and make it worse. And then we act surprised when it fails.
For years we’ve been telling people to choose complex passwords that can’t easily be guessed. But most people don’t follow that advice. And even those who do may be subject to attack because of the poor authentication used to reset passwords. A good authentication mechanism should not not allow each user to determine the strength of authentication.
Effective alternatives are available. Among them are key-chain size authentication tokens from RSA and Vasco. In summary, as part of your login to a site you have to type in the 6 digit number that appears on the device, as well as your username and password (or a PIN).
While it’s easy to understand that Twitter may not want to provide users with authentication tokens (it is a free service after all!), at minimum they could, and should, require two-factor authentication for all users with administrative access. The amount of damage that could result from an intrusion into a Twitter administration account warrants two-factor authentication. If Twitter had conducted a risk assessment they would know that.
Security professionals have been pointing out these exact problems with passwords for years. Is anybody listening?
kingthorin
Just found this interesting bit from Bruce regarding how Secret Questions can be even worse than password.
http://www.schneier.com/blog/archives/2009/05/secret_question.html
Eric Jacksch
Thanks, I agree with Bruce. The “secret questions” are rarely “secret”.
Matt Nicoletti
Just found a really interesting two-factor authentication service that Twitter might want to check out. It’s the same as tokens but requires a cell phone instead so they wouldn’t have to supply anything for their users.
http://www2.telesign.com/solutions_twofactor_auth.php
Brian T Glenn
There is an open-source project, WiKID Strong Authentication System (http://www.wikidsystems.com/), for providing two-factor authentication. If you use the built-in protocol for server communication and only software tokens, it is even free of charge to use. The commercial version adds support for RADIUS communication to the server and cell phone based software tokens. There really is no excuse for not having two-factor authentication running with projects like this available.