Why Passwords Aren't Secure

Organizations Must Assume Logins Will Get Hacked

By , June 21, 2012.
Why Passwords Aren't Secure

Marcus Ranum isn't shy about saying logins and passwords are weak and outdated methods too often relied upon for online authentication.

See Also: Data Breach Battle Plans for Financial Services

In the wake of the LinkedIn breach, which exposed 6.5 million hashed passwords, Ranum, chief of security for online security provider Tenable Security Inc., says it's obvious the ongoing use of passwords is opening online users and organizations to security risks and breaches.

"This is a place where I have a certain amount of pain. Security practitioners have been saying, literally for decades, that passwords are a problem," Ranum says. "If you're part of an organization that's supporting anything that requires some kind of a password login, honestly, you should be looking at what you can do above and beyond passwords to protect your users against the inevitable time when their passwords are compromised."

Users are starting to jump on the bandwagon as well. An Illinois real estate sales associate, who's been a LinkedIn member since 2010, recently filed a $5 million class action lawsuit against the LinkedIn for failing to adequately encrypt its passwords (see Member Sues LinkedIn for $5 Million over Hack).

LinkedIn says the lawsuit is frivolous, but the action reflects growing concern for any organization that maintains an online presence. When passwords are easy to hack, organizations are vulnerable.

Ranum says organizations can - and should - do more to protect themselves from leaks and lawsuits. Customer education is key.

"It's really not a bad idea if you can have something in place on the password-change page - or the login page - that just tells the user, 'Please don't use the same password you use on Facebook,' or, 'Don't use the same password as you do on your favorite blog,' or whatever," he says. "'Doing so magnifies the likelihood that things can go wrong.'"

When a password breach occurs, Ranum says, organizations that have educated users about adequate password security have stronger legs to stand on. "It's the user's responsibility for not guarding their password efficiently," he says. There's a certain amount of value to being able to say, "I told you this would happen."

During this interview with BankInfoSecurity's Tracy Kitten, Ranum explains:

  • The vulnerabilities of hashed passwords;
  • Steps organizations can take to secure online passwords; and
  • Why organizations have to ensure every entity their sites touch, from vendors to other third parties, are implementing adequate site security controls.

Ranum, since the late 1980s, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.

Hashed Passwords: Vulnerabilities

TRACY KITTEN: What is password hashing and why is it a security problem?

MARCUS RANUM: The problem with the way hashing is done is really fundamental to passwords. It's something you really can't get away with. The hashes are stored instead of actually storing your plain-text password; but the problem is if someone is able to get the hashes, they can do an offline computation, where they essentially compute all of the possible passwords and then they can just look the hash up in this password database, and the password falls out the other side.

KITTEN: What about salted hashes?

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FFIEC to Prepare New Cyber-Risk Policy

The FFIEC says it's taking several additional steps, including updating and supplementing its...

Latest Tweets and Mentions

ARTICLE FFIEC to Prepare New Cyber-Risk Policy

The FFIEC says it's taking several additional steps, including updating and supplementing its...

The ISMG Network