I’ve written in the past about security in the cloud and the fact that moving to the cloud doesn’t remove all obligations from users to ensure their data is safe. While undeniably using cloud services means that users can forget about many factors (the security of the siting of your server for example), there are still lots of things that users need to think about. Primary among these factors are passwords – the rise of cloud and SaaS has led to a huge increase in the number of individual passwords that users have – it’s no surprise then that this is one area that users tend to be a little sloppy in their attention and accordingly is often the first point of call that can be exploited by attackers
Recently Kyle Quest, CTO and co-founder of CloudImmunity (disclosure, I’m an adviser to the company) wrote a post detailing the results of some research he’d undertaken about the robustness of protocols that cloud vendors use to ensure strong password use. In part his research came abut after a rash of security compromises – from Evernote to LinkedIn, from Sony to Yahoo, a number of supposedly hi quality services showed that the way they go about password use makes them vulnerable to attack. As Quest pointed out, most discussion in technical communities focus on technical solutions – using hashing algorithms, salts for password hashing etc. But Quest pointed out that one of the primary issues here is that these services fail on what should be the first place they ensure security – helping users pick safe passwords. As he pointed out:
When users pick “password” or “123456,” it doesn’t matter how secure the password storage and password hashing are because attackers will guess these passwords in no time. It’s common practice for Internet and cloud application vendors to say that users shouldn’t pick weak passwords. But telling people to pick secure and hard-to-guess passwords simply doesn’t work because in many cases people will pick the easiest password their cloud applications allow
In an attempt to quantify the problem, Quest investigated 130 different cloud services spanning the continuum – IaaS, SaaS and PaaS, consumer and enterprise, technical and end-user. The results were a little depressing, the vast majority of services allowed users to use short passwords and had no requirement for a mix of letters and numbers, uppercase and lower. There was nothing stopping users from registering for a service using that old faithful – password1. He raised the question of whether services, especially those dealing with payments and billing, should enforce stricter password requirements on their users. His conclusions were that for most vendors, passwords are the “elephant in the room”, an issue that’s commonly overlooked. Sometimes developers are afraid to impact the user experience in a negative way, but a lot of times only a bare minimum is done because security is at the bottom of the developers’ to-do list and the user account implementation often ends up being based on the code samples found on the Internet.
The most secure passwords are, of course, random combinations of characters – but the flip side of this is that these passwords, while secure, are very difficult for users to remember. The net result is that users pick passwords they’ll easily recall, and often use the same password for multiple services. People do the bare minimum to meet requirements, this setting up behavioral blueprints that attackers use against them.
The future is more than likely going to consist a large number of discrete services and applications. Application security needs to be seen as a core building block of that future. Ideally that would mean we move from the current status quo of password based authentication but, as Quest puts it, passwords are like roaches, they’ll outlive us all. Instead of living in a fantasy or pretending that the problem doesn’t exist and pushing the responsibility for password security on cloud application users, we need correct password security implementations, and we need innovation to make passwords safe and usable.
Hi Ben,
Getting a user to choose a secure password is about as easy as herding cats.
Enforcing largely random password rules is also hard work.
I’ve been watching with interest the new SQRL (Secure, Quick, Reliable Login) developments – avoiding the whole password thing completely. Seems to be a common sense approach.