Password Authentication with Brandon Dees – Part 1
When you’re rushing to get a brand new app out the door in time for a planned launch, it can be easy to brush off security concerns beyond simply ensuring that user accounts are password-protected. After all, if you’re not handling state secrets or financial data, and if your app is small and unheard-of, it’s not like you’re going to be a major target of cracking attempts… right?
In today’s episode, guest chef Brandon Dees joins us to explain why even small web applications need to be concerned with good password practices. You’ll learn how your site may be a target for reasons other than those you might expect. And you’ll get a crash course on how seemingly strong passwords aren’t as safe as they may appear.
This is part one of a two-part series. In the episode to follow, Brandon will give you some concrete advice on keeping your staff accounts secure, and on educating your users about password security. Enjoy!
Video transcript & code
Why Authentication Matters
Authentication may seem like a mundane and well-solved problem, but it's a very deep and nuanced subject to understand.
In practice, it's one of the largest security gaps being exploited in the wild.
Verizon's latest annual Data Breach Investigations Report (DBIR) indicates that credential theft is still the number one attacker action involved in data breaches.
I've found that many developers relegate security considerations to a low priority due to some common misconceptions. They think of application security as something that doesn't really apply to their project, or they hope and trust that someone else is taking care of it for them, or in some cases they may understand the technical risks but just aren't thinking about how those details can translate into potential problems for real people.
Even if we set up our applications following best practices, what the industry considers to be best practices for secure authentication have evolved substantially over the years, and continue to evolve.
Just as significantly, our users ultimately get to decide how strong their password will be.
They're trusting us as professionals to build our applications correctly and to tell them what they need to know to use our applications safely.
I'm hoping that I can dispel some of those misconceptions and encourage a more empathetic perspective. This should help you deliver more resilient and trustworthy systems rather than adding to the growing pile of industry data breach statistics. We'll also discuss what we should be telling our users about how they can manage their part of authentication security appropriately.
Before going further, I want to be sure to clarify a few terms: Authentication is the verification of a claim of identity. Authentication is not to be confused with authorization, which determines whether a given identity should be permitted to perform a given action, and is a separate topic.
Entropy is a measure of randomness or unpredictability in a system. RubyTapas Episode #306: Random Samples, Episode #310: Randomness, Episode #311: Secure Random, and Episode #315: Random Seed examine some of the tools and applications at our disposal for working more directly with sources of entropy in Ruby if you want to dig deeper.
Many motives for breaking authentication
Account hijacking can have a wide range of motives, many of which aren't extremely obvious or even direct.
There is often a financial incentive to break into a given account. There's a black market for re-selling account data in bulk.
It's also possible in many cases to leverage an account's functional power to distribute spam content, which is a big industry these days. Similar capabilities may also be exploited to conduct DDoS attacks,for which there is also a big market.
There are also more targeted ways to make money with account credentials, including leveraging sensitive data against an individual person or organization to extort a ransom. These are just some of the ways attackers can leverage cracked account credentials to make money.
Account access can also often be leveraged for other types of attacks which may not be directly related. One noteworthy example is when Mat Honan had several of his personal accounts hijacked, and a lot of his personal data destroyed, all because someone wanted his rare three-letter twitter handle for vanity reasons. The story is well worth taking the time to read to get an idea of how subtly the details of how we implement authentication systems can impact peoples' lives in ways that are hard to anticipate.
Another interesting and eye-opening example is the story of how China used individual peoples' browsers to take down Github to defend government censorship. This attack didn't leverage stolen account credentials, but you could imagine a possible version of this attack that would work that way instead of using traffic interception, and my point is to illustrate that there are even broad geopolitical motives for attacks against individual web users' accounts.
There are, of course, plenty of more personal motives for breaking into accounts, also. I won't attempt to enumerate all the possible or likely scenarios.
Entropy in passwords is critical to security
Most methods of password cracking involve some form of systematic guessing, ...
...often taking advantage of knowledge about what kinds of passwords are more likely to be chosen than others to optimize the guessing process.
The main factor that protects a given credential against these types of attacks is entropy, or how much randomness or unpredictability was factored into its creation.
A long and purely random string has a lot of entropy and could require astronomical computational energy to eventually crack.
Unfortunately for passwords, people are surprisingly predictable at making up strings that should be hard to guess.
From favorite "random" words, to supposedly obscure media references, to substitution patterns like replacing letters with numbers of similar shape or using structured geometric patterns on a standard keyboard layout, even when we try to come up with clever tricks to make our password more unguessable, we are very strongly biased towards methods that are easy enough to remember, ...
...and there just aren't enough variations of those to resist a modern password cracking system that can check trillions of guesses per second. I'm talking about a high end consumer PC here, not even industrial scale nation-state funded server farms.
Conclusions and recommendations
Hopefully now you'll better understand the importance of strong passwords and authentication security in general, even in places where we may be tempted to think it's not that important. Next episode we'll talk about some recommendations for how to keep our apps safe and help our users to do the same.
Further reading recommendations
- HOW APPLE AND AMAZON SECURITY FLAWS LED TO MY EPIC HACKING
- DDoS attacks that crippled GitHub linked to Great Firewall of China.
- OWASP Top 10 Project
- NIST SP 800-63-3 Digital Identity Guidelines, specifically section B
- Verizon Data Breach Investigations Report(DBIR)
- Buffer App / MongoHQ Data Breach 2013
- RubyTapas Episode #530: Two Factor Authentication
- Troy Hunt's have i been pwned?
- Troy Hunt's Pwned Passwords list
- Lastpass is the password manager I recommend for most people
- Randomly generated passphrases can provide a better trade-off between total password strength and memorability. I strongly recommend following the EFF guide, using their carefully designed wordlists and a minimum of 6 words to use this technique securely. Use more words for more security. For reference, here's the original Diceware method of generating memorable secure passwords.