The Weakest Link

Barely a week seems to go by without news of a new data breach hitting the headlines. The situation has got so bad that IT Security experts advise website owners that preventing breaches against a determined foe is impossible. Best practice is to lock systems down so that if a breach does occur nothing important is affected. Most breaches aren't by determined hackers anyway, they're the result of automated botnets scanning the web and exploiting misconfigurations or unpatched security vulnerabilities in Internet-accessible databases.

Last year's major breach at Equifax was down to an unpatched bug in their online support portal. The bug granted direct access to their customer database, all the hackers had to do was guess the admin password to the site. This is far from the first time this has happened.

When designing security the human factor is almost always the weakest link. An unpatched server is the result of a human decision to prioritise uptime ahead of security. An insecure admin password set to something a human could remember is the result of a human decision to make access easier for IT.

All websites have security vulnerabilities at some point or other. Even Drupal has had several major high profile security updates this year, and this from a platform which is widely considered to be a highly secure CMS that follows security best practices. There is no such thing as a totally secure system, only one whose security holes haven't been found yet.

Security researchers, therefore, are focusing on eliminating the weakest link in the chain, which is the need for humans to log in to a system and the passwords that enable them to do this. The leading technology companies are actively developing ways to replace passwords with newer means of verifying logins.

The issue with passwords is that they are predictable and all too easily crackable. Increases in computing power now mean that the common 8 character password can now be cracked in hours or days rather than months or years as used to the case in the past. That's enough to deter a casual hacker, but not enough to stop a determined foe who can set up a powerful server in the cloud and let it run until its guessed your password and gained access to whatever it is protecting.

Adding more complex characters or using completely random sequences characters used to be a good defence, but no longer is enough. Expert advice on password security has recently changed, to using simple but long passwords, as well as to only changing passwords rarely. The typical pattern of changing passwords every 60 or 90 days results in passwords following a predictable pattern that hackers have noticed.

The idea behind regular password changes was that if a hacker obtained a person's password, then they only had a limited window of access before you changed it and they lost access again. If that password change is incrementing the numerical part of that password, then that can be easily guessed, and the whole reason for enforcing password changes falls apart. Worse, studies have shown that regular password changes result in people using simpler passwords.

In an enterprise environment, single sign-on technologies provide a solution to this problem. Single sign-on systems are built around a widely adopted security standard called SAML. This is a technology that allows apps to delegate login handling to another application such as Okta, OneLogin or ADFS. Not only does this reduce the number of passwords that people need to remember, in a strict implementation it can eliminate those passwords entirely. Most apps that support SAML Single Sign-on include an option to require its use and to block users from logging in with a password if one exists. The technology has been widely adopted because it is one of those rare technologies that unambiguously benefits both end users and IT.

Attempts are being made to replace passwords with biometric alternatives such as fingerprint readers or facial recognition. These technologies have existed for a long time but are finally hitting the mainstream due to their use on mobile phones. Both Apple and Microsoft allow you to use those mobile phones to unlock other devices such as Macs and PCs. Microsoft have openly spoken of their efforts to eliminate passwords and replace them with the Windows Hello features built into Windows 10. This is the brand name for Microsoft's biometric login features. The aim is that in future PC users will use facial recognition and a hardware device such as a mobile phone or USB token to sign in to Windows rather than a username and password. Technologies have been developed to extend this to the web, by allowing the use of fingerprint readers on phones and PCs to log into websites.

In the interim, the entire technology industry is heavily pushing two-factor authentication as a way to ensure that accounts can't be compromised even if passwords are hacked. If you set this up, you will be required to enter a 6 digit single-use code when logging into a website. Where this code comes from varies by the site. Most allow you to specify a mobile phone number to receive verification codes when you log in or use the ubiquitous Google Authenticator app to generate it. Security experts strongly recommend you configure this option for all your email accounts, as well as any other site which holds your personal or financial information. It's a minor inconvenience when logging in, but it does substantially reduce the chances of an account being hacked. As such, it's definitely worth taking advantage of where available.