Blog‎ > ‎

Random ramblings about passwords, security & authentication

posted Oct 23, 2014, 8:11 AM by Sami Lehtinen   [ updated Oct 23, 2014, 8:12 AM ]
It seems that the real hacker scenario was forgotten. If the attackers own the system, they can do lot more than just steal password hashes. They can modify the system to store plain text passwords when users login as well as steal the information from the system(s), in many cases. Of course it's easy to forget that there are sites with very different security levels. Others are just running without any monitoring and others have very strict IDS/IPS, 24/7 security & intrusion monitoring staff & systems, version control, configuration management, enforcement, monitoring systems, etc. I don't actually even understand why people are so obsessed with this password topic. I personally consider passwords as shared random blobs. So what if it leaks? If I were the primary target of the attackers, they probably already stole the required information from the system(s), even without the password(s).

2FA doesn't help either at all, if the system is completely compromised. The attacker(s) can easily circumvent it, because they probably already have full control of the system. Only way to get these things right, is tight layered security, internal protocols, etc. Why does the 'site' anyway have full access to password(s). Shouldn't there be secondary hardened authentication system, and only tokens passed? Does the system(s) containing the data, properly verify from authentication service if the user is allowed to access the data etc? These are endless topics, when it's forgotten that there are systems with completely separate security requirements. Is 2FA enough? No? Do you run authentication client on smart phone? It's computer, it's hackable. There should be hardware token. Does the hardware token give you monotonic 'non action independent' codes? It does? Well, that's also fail. Because every authentication code should be based on the action & content it's authenticating. Otherwise you could authenticate something, you're not aware about. Many systems fail on that scale too, completely. Of course there are secure solutions, but those are expensive.

Password managers are also bad solution, because those run on your computer / phone, and as we know, consumer devices / normal business systems aren't ever secure. All are sitting ducks if attacker really wants to control those. Which also means that they can access your password managers content at will. Actually most important passwords in my password manager say something like, "Do you really think I'm stupid enough to put the password here?"

Passwords / PINs are completely good part in multi factor authentication scheme where you have to know something. I often wonder why people prefer to disable passwords when using SSH key login? I personally think that key + password is better than key only, in case of the keys are stolen.
Just my random blah thoughts about all this endless blah blah.

I've also seen many times, that the crackers have so many systems under their control, that they don't even care to explore the content of the systems they're owning. So they have missed the important stuff several times. Or they're smart enough to let me to believe so. ;)

P.S. My bank doesn't allow stronger than six digits password. But does it matter?