donderdag 14 november 2013

Adobe lesson learned: do not use complex passwords!


By now we all learned about yet another password leak, this time at Adobe. Not just some incident, no, it's a big one, with some 130 million passwords in the open. A big scandal too. And of course we are amazed at the large number of too obvious passwords chosen by the Adobe customers. Passwords like '123456' and 'secret' are amongst the most frequently chosen passwords. Are we really surprised? No of course not. We already knew that people are not very aware about the security risks involved.

Who are those customers? They are people like you and me, consuming services anywhere on the internet, Services like those offered by Adobe. And for most of those services the provider wants to know who you are by asking you to register an account. So, many of us did.

Accounts

Let me tell you about the way I create accounts. In order to protect my privacy I have to protect both my identity and my behavior. So I try to separate my digital life from my real life as much as possible. And I bet that I'm not alone in this. My preferred method is to create an account using an alias. And since providers want to reach my alias, I need to provide an email address. If possible I use a disposable, or a fake email address. Next I have to pick a password. '123456' will do just fine. Why?
This password is not there to authenticate, it's there because the provider wants me to provide a password to ensure my permission to use a service. But I didn't use a real digital identity, I just claimed some capacity to download whatever I want from the provider. I don't care about protecting it, because in real life it just doesn't exist, and in all fairness, it's worthless. In fact I may have created an Adobe account a long time ago, but I don’t even remember it. And if I don't care, it's just not relevant how secure it is or how complex the password is. The only thing that I need to take care of is to NOT use one of my regular identities and passwords.

That's my real protection. As long as a provider or a hacker for that matter, cannot link the non-existing identity with a real identity, there is no danger for my real privacy if the provider or hackers publish '123456'. I couldn't care less. So, lousy providers like Adobe are not really a risk for me. I was right in not trusting them.
A far better way for providers to connect to customers would be to let them use an external identity, that way you don't need to register an account with the provider and the provider doesn’t need to protect it, there is no password... If you are free to pick an external identity like facebook, Twitter or LinkedIn, then the risks of data leakage are far less. There's another privacy issue, because those identity providers know your interests because of the federation stuff. I will not elaborate on this issue, but if you have enough digital identities, every identity provider only knows part of your interests, part of your activities and thus part of your identity. Divide et Impera.

Threats

The Adobe leak led to a lot of noise in the security community. There were two main comments: Adobe is stupid by not enforcing better security, I agree. And: users are stupid for using simple passwords, well, I don't fully agree. And I will explain this:
Account and identity management is tricky. There are two risks:
1) Someone knows you and tries to steal your identity.
2) Someone knows your password and your login name and tries to find out your real identity and reuse that information

The first risk can be real, but it need not be that big, provided that you think about a few best practices. Protect your behavior. If someone doesn't know to relate your real identity to a digital identity, not a lot of harm can be done in the digital world, in Cyberspace.

As I mentioned, the second risk can be neglected as well, if you understand it and act upon it. I hope/believe that most of the Adobe top 20 passwords are used by people who knew this. In my opinion most of the accounts used are disposable accounts. And preferably accounts that cannot be linked to real identities.

Password complexity

Both reactions to the Adobe leak came down to one issue: password complexity. Fact was that Adobe didn't enforce password complexity, not in the user space, not by using good practices for cryptography. Second fact: lots of users didn't use complex passwords.

Password complexity is difficult. A password needs to be complex for a few reasons:
- You don't want it to be easily guessed by someone who knows your digital identity.
- You don't want it to be easily cracked by someone who has access to your encrypted password.
Yet at the same time you want it to be easily remembered, by yourself.

The first risk is in fact the risk that we need to manage to mitigate the threat of someone who knows you to steal your digital identity, that's the first identity risk. It's the risk of someone retrieving an identity => password combination based on known identity information.

The second risk is more difficult to manage. The enormous amounts of processing power makes this risk hard to mitigate, password cracking isn't that hard to do anymore. This risk works the other way around: someone tries to retrieve a password => account combination based on known password information. Encryption of the password in transit and in storage does help safeguarding the password information, but it will probably only help temporarily. So we are trying to use one measure, password complexity, to tackle different risks. This may seem efficient, but in fact it's not what we need to do.

In order to prevent identity => password retrieval, we need password complexity. No one should be able to retrieve a password based on identity knowledge alone.
One example is Phishing: an attacker tries to retrieve secret information from a known identity. That means that the real, or physical identity => digital identity => password trail needs to be protected. And since the password is the valuable item, the password needs to be secured. That means using complex passwords (and to fight phishing: educate users to not hand over secret information!).

To prevent retrieval of a valuable identity based on a found password, another mechanism is required. If someone retrieved a password, he may be able to retrieve the digital identity, but he should not be able to retrieve the real identity behind the digital identity. Why?
This might lead to misuse of the identity => password risk!

If the password => identity trail can be found, an attacker might gain knowledge to intercept other identity => password combinations. The identity is the valuable resource, so you need to protect your identity. And the best way is to use disposable identities or external identities in those cases that you have to trust providers.

This leads to an interesting conclusion


Adobe user accounts with complex passwords, may well be more at risk than accounts with easy to guess passwords: customers using a complex password may well have used a valuable identity, expecting the complex password to protect it. How about that?

In my next post I will introduce a real simple complex password method.

3 opmerkingen:

mrkoot zei

The above states: "A far better way for providers to connect to customers would be to let them use an external identity, that way you don't need to register an account with the provider and the provider doesn’t need to protect it, there is no password... If you are free to pick an external identity like facebook, Twitter or LinkedIn, then the risks of data leakage are far less. There's another privacy issue, because those identity providers know your interests because of the federation stuff. I will not elaborate on this issue, but if you have enough digital identities, every identity provider only knows part of your interests, part of your activities and thus part of your identity. Divide et Impera."

What's the threat model? Against what attacker and what types of attack are we self-protecting? The Divide et Impera initially established by the use of disposable accounts will fail as soon as the social media are compromised, bought, forced by govt to hand over data, decide to monetize your data, what have you. Unlinkability can also easily fail due to failing OPSEC: there's a LOT of cross-domain content-fetching happening during casual web browsing, leaking bits of information to all social media and then some. We'd have to act implausibly careful at all times to prevent casual leakage of identifying bits of information that can be easily used to undo unlinkability.

The use of disposable accounts will only provide weak unlinkability that should be assumed to fail. Strong(er) unlinkability needs OPSEC, probably involving the (proper) use of anonymising networks, and, if paranoid, restricting activities within each context to separate physical+digital locations.

Regarding the password topic, my suggestion is promoting (and if possible enforcing) the use of *generated* strong passwords + a password manager. No more problem regarding password re-use, no more problem regarding poorly chosen passwords, no more problem regarding inferring identities from (unique) passwords. Everybody on earth should do that. And if everyone would, there'd be no more inference of interesting identities from leaked passwords, but that probably won't happen soon.

I'd love to hear other people's take on this.

Kind regards,
Matthijs

Alexander Schrijver zei

I agree with what mrkoot said, and would like to extend a bit on this.

On of the problems with the Adobe case is the difference in goals. The goal of adobe is to collect as much (future) customer information as possible. While the actual customer just wants to download product X.

The assumptions made by the customer and Adobe are completely different as well.

Adobe assumes the customer takes their Adobe identity very seriously, while the customer just wants to see their freaking dancing hamsters (or download some stupid Adobe SDK). Which leads to the customer just creating a throwaway account.

The problem is, is that the system which Adobe designs isn't created to be used for throw away accounts.

mrkoot already said this, the adobe account is more than a tuple of (username, password). It stores, or could store, all kinds of data. IP addresses, browser session data, products serial keys created. All which can be related to your actual identity.

If I were to be evil, and wanted to get you convicted or at least a suspect of a certain crime. I could login to your throwaway account, use it for criminal activity X, and wait for the police to pull your IP address/session data from the account. And then watch the show.

And of course, more evil can be done when your account is related to your actual identity.

André Koot zei

Today, again, we learned that the most popular passwords are '123456', 'secret' and 'password'. And I still have to say that I'm glad that people use this kind of simple password. Worthless accounts deserve worthless passwords.

I predict that when (worthless) websites start requiring complex passwords, we will see more serious dataleaks and identity theft, because people will reuse their existing complex passwords from their valuable sites.
Yes password vaults are useful, as are multifactor authentication facilities, but as long as these are not user friendly or secure enough (yes, these too are vulnerable), I sincerely hope that people keep on using the simple passwords that they can't use at valuable sites!