Security study: Ditch the username and password
Researchers at Dartmouth College’s Institute for Security, Technology and Society, in collaboration with Manchester-based IT company WWPass, are exploring the weak links, vulnerabilities and economies of scale that have led to the data breach epidemic. And they’re urging organizations to eliminate the use of vulnerable legacy identity schemes based on username and password combinations as a method of authenticating employees and customers, replacing them with stronger identity technologies opaque to attackers.
The yearlong research project, funded in part by the New Hampshire Innovation Research Center, is a partnership between the Dartmouth institute and Manchester-based WWPass, an information technology company that has developed new ways to manage and protect an organization’s private and confidential information.
The NHIRC Granite State Technology Innovation Grant focuses specifically on data breach prevention for the health care industry, but the findings are applicable across all industries.
“When it comes to organizations trying to keep their data private, attackers always seem to win, no matter if the target is a security company like RSA or an entertainment giant like Sony, a regulated health provider like Anthem, a mass retailer like Target or Home Depot, or a leader in technology R&D like Google,” said Professor Sergey Bratus, Dartmouth’s lead researcher on the project. “There’s even worse news: breaches have become merely a matter of scale; it appears that if attackers can scale up their effort they win, no matter how unsophisticated they are.”
Organizations have long relied on usernames and passwords to authenticate employees and customers, but those methods have failed over and over again, he said. Even using second-factor authentication methods to thwart attackers does not seem to have turned the tide.
He said usernames are problematic because they are guessable and allow attackers to scour the victim’s social media accounts and public records – and knowing an employee’s email will likely lead an attacker to his or her Facebook account and a wealth of other private data.
Not surprisingly, according to a 2014 report from Verizon, 76 percent of data breaches occur due to attackers gaining access through stolen user credentials.
Economies of scale
Initial findings by Bratus and WWPass founder Gene Shablygin outline the importance of eliminating usernames and second-factor authentication methods in favor of non-guessable authentication methods, such as token authenticators or secure mobile apps.
Further complicating data security is the issue of economies of scale. Organizations guard against account compromise by checking the strength of their employee and customer passwords, or by requiring several modes of authentication on accounts they control.
However, accounts are all too often compromised outside of an organization’s control when hackers gain access using accounts shared by the same person or on the same computer. Once hackers gain access to one person’s account information, they can use “side hops” or lateral movements to access other information. It takes only one compromised username and password from one employee to wreak havoc on a major company.
“Scaling and meshing of everyone’s network activities and authentications has shifted the advantage to the attacker. The web of weak accounts makes it too easy for attackers to navigate from victim to victim,” said Shablygin. “We must make it harder for attackers to select and leverage the next round of targets. The only way to beat the scaling effects and end the epidemic of account breaches is to reduce this plethora of weak links by eliminating the use of usernames and passwords.”
The joint research project, which is expected to conclude in June, is funded with a $33,000 grant from NHIRC and a company match from WWPass.