The Importance of Password Hygiene

Strong and secure passwords are extremely important when it comes to cybersecurity – they prevent unauthorized access to your personal electronic accounts and devices.

OWASP has identified authentication and poor session management as a critical issue as far back as the early 2000’s. Even in 2022, it is still a major issue and looks to continue to be for the foreseeable future. The main benefactor of this is data breaches as attackers have a growing pool of possible username password combinations to use in brute force type attacks against user accounts.

What Makes for A Secure Password?

Proper password hygiene practices and creating a secure password is a crucial step to prevent sensitive data breaches for any organization. Choosing a very complicated and long password is another step to ensure a secure password, as you will make it very difficult for a hacker to crack it, whether by a manual attack or an automated machine attack sifting through thousands of combinations per second. 

Alongside secure passwords, MFA (multi-factor authentication) adds another barrier to entry into a secure account, and further protects sensitive data. There are multiple avenues of MFA, the most common channels being email and SMS. The combination of secure passwords and 2FA are some of the steps that can be taken to ensure proper password hygiene in your organization.

Data breaches happen all the time. In fact, when you attend a typical work day, roughly 1,850,832 records are lost or stolen due to data breaches. It is now a matter of when your company will be hit by a breach, rather than if at all. The need for proper authentication controls and protocols has never been more important.  As more and more data breaches occur, we find that companies are still not implementing passwords in a secure manner. Passwords and email addresses are the most sought after data online, a report by Risk Based Security found that passwords and email addresses are the most stolen in 70% of all data breaches.

There are billions of records being compromised every year, and growing. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate. 

Best Practices to Avoid Password Data Breaches

As more and more data breaches occur, we find that companies are still not implementing passwords in a secure manner. Insecure storage can be caused by a number of reasons including:

1. Plain-text passwords.
2. Storing passwords using reversible encryption.
3. Using weak hashing algorithms like MD5, ROT13 or SHA1.
4. Lack of unique salt per user password.

These, coupled with poor password creation policies, leads to user accounts being taken over by malicious users. A poor password policy would allow passwords to be less than 8 characters, have no symbols, numbers or special characters.

Companies have been adopting two factor authentication or 2FA as it provides another level of protection for users in the case of a user’s password being leaked via a data breach. 2FA is a piece of knowledge that the user has which they can use to authenticate to a service with. It consists of a one time code which is transmitted to the user via SMS, email, or by a piece of hardware or software. A list of websites providing second factor authentication can be found here. Problems occur when the one time tokens are transmitted over insecure channels, like email and SMS.

SMS as a Channel

SMS messages are sent in clear text and attackers at times are able to recover a user's text message, either by intercepting the message or gaining access to the information through a different channel.

There are a number of ways an attacker can gain access to the users phone number:

1. Someone can walk into any retail cellular store and ask an employee to move your number to a new SIM. The employee will verify the person using some form of government ID, but won’t necessarily verify that they own the rights to that phone number.
2. The attacker can call a phone company and ask to move your number to another carrier.
3. An attacker can gain access to your email, where you forward your SMS messages to. Once they see the SMS code, they can reset your password, use the password reset token and stolen SMS code to set a password they know.

OAuth2 is probably the most popular protocol in use to provide federated authentication services. The protocol is securely designed, but is often implemented poorly. For example, Facebook has fallen prone to poor implementation as an attacker was able to steal a users authorization tokens by breaking out of the Oauth2 redirecturi parameter, thereby sending the users authorization token to a server they controlled. This authorization token is equivalent to having the users username and password.

Some common flaws in the protocol implementation include, allowing attackers to set any redirecturi, improper error handling and problems with the state parameter. The redirecturi parameter can be used by attackers to redirect users on authorization success or failure.

SAML is the popular protocol in use to authenticate and authorize users for a service. It passes messages using XML. Most of the attacks that are targeted towards SAML are XML based attacks.

A SAML exploit was released earlier this year which allowed malicious users to bypass the authentication process completely. This happened as a result of XML libraries incorrectly parsing XML comments, allowing attackers to inject valid usernames into a SAML assertion, thereby bypassing authenticating themselves.

Email as a Channel

MFA email follows the exact same process as MFA SMS, but you receive a code to your email address instead of a text message. One of the benefits of using email is that people are already comfortable and regularly provide their email address to online services. For users, accessing their email is convenient, but more often than not, hackers can access more sensitive information via email versus SMS. The problem with using email as a MFA delivery channel is that the first layer of security–a password–can usually be reset from an email account. 

If a hacker compromises your email inbox, they can take over all your online accounts in a matter of minutes. Online accounts are primarily set up with an email address, creating an even more vulnerable situation for users and businesses. 

Recommendations

If you choose to manage the identity of your users, it’s imperative that you implement proper password storage procedures in case your data is ever leaked to the public. This means using a key stretching hashing algorithm, like PKDBF2, bcrypt or argon2, with a unique long salt per user and a strong password policy. A strong password policy enforces a password length greater than 8 characters and ideally has a requirement for different casing, inclusion of numbers and special characters.

New services have appeared that will notify a user when their email has appeared in a breach, like haveibeenpwned. This helps ease the impact of a user's credentials being leaked, as the user is able to quickly update their password to something more secure.

If you are able to manage your application without using usernames and passwords by implementing authentication using third party identity providers like Facebook or Google, it’s highly recommended to go this route.

Do not use SMS as an out of band mechanism to transport one time tokens. Use a hardware token like a Yubikey or software based token applications like Duo, Authy or Google Authenticator. Phone numbers are far too easy for attackers to gain access too.

References:

[1] https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

[2] https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability 

[3] https://itsecuritycentral.teramind.co/2017/07/26/how-often-do-data-breaches-occur-infographic 

[4] https://itsecuritycentral.teramind.co/2019/10/17/20-data-security-risks-your-company-could-face-in-2020/