donderdag 14 november 2013

Adobe lesson learned: do not use complex passwords!


By now we all learned about yet another password leak, this time at Adobe. Not just some incident, no, it's a big one, with some 130 million passwords in the open. A big scandal too. And of course we are amazed at the large number of too obvious passwords chosen by the Adobe customers. Passwords like '123456' and 'secret' are amongst the most frequently chosen passwords. Are we really surprised? No of course not. We already knew that people are not very aware about the security risks involved.

Who are those customers? They are people like you and me, consuming services anywhere on the internet, Services like those offered by Adobe. And for most of those services the provider wants to know who you are by asking you to register an account. So, many of us did.

Accounts

Let me tell you about the way I create accounts. In order to protect my privacy I have to protect both my identity and my behavior. So I try to separate my digital life from my real life as much as possible. And I bet that I'm not alone in this. My preferred method is to create an account using an alias. And since providers want to reach my alias, I need to provide an email address. If possible I use a disposable, or a fake email address. Next I have to pick a password. '123456' will do just fine. Why?
This password is not there to authenticate, it's there because the provider wants me to provide a password to ensure my permission to use a service. But I didn't use a real digital identity, I just claimed some capacity to download whatever I want from the provider. I don't care about protecting it, because in real life it just doesn't exist, and in all fairness, it's worthless. In fact I may have created an Adobe account a long time ago, but I don’t even remember it. And if I don't care, it's just not relevant how secure it is or how complex the password is. The only thing that I need to take care of is to NOT use one of my regular identities and passwords.

That's my real protection. As long as a provider or a hacker for that matter, cannot link the non-existing identity with a real identity, there is no danger for my real privacy if the provider or hackers publish '123456'. I couldn't care less. So, lousy providers like Adobe are not really a risk for me. I was right in not trusting them.
A far better way for providers to connect to customers would be to let them use an external identity, that way you don't need to register an account with the provider and the provider doesn’t need to protect it, there is no password... If you are free to pick an external identity like facebook, Twitter or LinkedIn, then the risks of data leakage are far less. There's another privacy issue, because those identity providers know your interests because of the federation stuff. I will not elaborate on this issue, but if you have enough digital identities, every identity provider only knows part of your interests, part of your activities and thus part of your identity. Divide et Impera.

Threats

The Adobe leak led to a lot of noise in the security community. There were two main comments: Adobe is stupid by not enforcing better security, I agree. And: users are stupid for using simple passwords, well, I don't fully agree. And I will explain this:
Account and identity management is tricky. There are two risks:
1) Someone knows you and tries to steal your identity.
2) Someone knows your password and your login name and tries to find out your real identity and reuse that information

The first risk can be real, but it need not be that big, provided that you think about a few best practices. Protect your behavior. If someone doesn't know to relate your real identity to a digital identity, not a lot of harm can be done in the digital world, in Cyberspace.

As I mentioned, the second risk can be neglected as well, if you understand it and act upon it. I hope/believe that most of the Adobe top 20 passwords are used by people who knew this. In my opinion most of the accounts used are disposable accounts. And preferably accounts that cannot be linked to real identities.

Password complexity

Both reactions to the Adobe leak came down to one issue: password complexity. Fact was that Adobe didn't enforce password complexity, not in the user space, not by using good practices for cryptography. Second fact: lots of users didn't use complex passwords.

Password complexity is difficult. A password needs to be complex for a few reasons:
- You don't want it to be easily guessed by someone who knows your digital identity.
- You don't want it to be easily cracked by someone who has access to your encrypted password.
Yet at the same time you want it to be easily remembered, by yourself.

The first risk is in fact the risk that we need to manage to mitigate the threat of someone who knows you to steal your digital identity, that's the first identity risk. It's the risk of someone retrieving an identity => password combination based on known identity information.

The second risk is more difficult to manage. The enormous amounts of processing power makes this risk hard to mitigate, password cracking isn't that hard to do anymore. This risk works the other way around: someone tries to retrieve a password => account combination based on known password information. Encryption of the password in transit and in storage does help safeguarding the password information, but it will probably only help temporarily. So we are trying to use one measure, password complexity, to tackle different risks. This may seem efficient, but in fact it's not what we need to do.

In order to prevent identity => password retrieval, we need password complexity. No one should be able to retrieve a password based on identity knowledge alone.
One example is Phishing: an attacker tries to retrieve secret information from a known identity. That means that the real, or physical identity => digital identity => password trail needs to be protected. And since the password is the valuable item, the password needs to be secured. That means using complex passwords (and to fight phishing: educate users to not hand over secret information!).

To prevent retrieval of a valuable identity based on a found password, another mechanism is required. If someone retrieved a password, he may be able to retrieve the digital identity, but he should not be able to retrieve the real identity behind the digital identity. Why?
This might lead to misuse of the identity => password risk!

If the password => identity trail can be found, an attacker might gain knowledge to intercept other identity => password combinations. The identity is the valuable resource, so you need to protect your identity. And the best way is to use disposable identities or external identities in those cases that you have to trust providers.

This leads to an interesting conclusion


Adobe user accounts with complex passwords, may well be more at risk than accounts with easy to guess passwords: customers using a complex password may well have used a valuable identity, expecting the complex password to protect it. How about that?

In my next post I will introduce a real simple complex password method.