安全专家已经说了几十年,人类的弱点可以胜过最好的技术。
显然,它也可以胜过传统智慧。
由于密码成为在线认证的主要方法,传统观念一直认为改变它们每隔一个月左右会改善一个人的,或组织的,安全的。
Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was,“time to rethink mandatory password changes.”
She gave a在BSides安全会议上发表主题演讲in Las Vegas earlier this month making the same point.
但该消息并不新鲜 - 她一直鼓吹了一段时间。Cranor,谁前她搬到美国联邦贸易委员会是计算机科学与工程和公共政策在卡内基 - 梅隆大学的教授,给了一个TED talkon it more than two years ago.
她认为,更改密码经常可以做弊大于利。不是因为新的密码,在本身而言,将使它更容易成为攻击者,但由于人性的。
She cited research suggesting that, “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”
This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to破解的新密码,如果他们破获一老一, since users tended create a new password with a minor tweak of the old one.
这些调整包括改变一个小写字母to upper case, substituting a number for a letter, such as a “3” for an “e,” or simply adding a couple of letters or numbers to the end of the previous password.
Cranor说,研究人员发现,如果他们知道以前的密码,他们可以猜测少于五次尝试新的。谁也偷了哈希密码文件,黑客就能够在三秒钟内猜测新的 - 这是与2009年的技术。
联合国军司令部研究并不是唯一一个达到这一结论。研究人员在计算机科学在加拿大渥太华卡尔顿大学学院,发表在2015年3月的论文中,得出的结论是密码过期策略的安全性优势是,“相对较小的最好的,可疑的整体成本来看,”出于同样的原因的UNC研究人员发现。
“(W)母鸡密码更改强制,往往新密码算法与旧[密码],让许多人在一些猜测中找到,”他们写道。
And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked “Retired” this past April), saidpassword expiration policies frequently frustrate users, who then, “tend to choose weak passwords and use the same few passwords for many accounts.”
不足为奇的是,攻击者非常了解这些漏洞。最新的Verizon Data Breach Incident Report (DBIR)发现所有数据泄露的63%涉及使用被盗,弱或默认密码。
由禁卫军本月初公布的一份报告表明,有四列前在网络杀伤链五项活动无关的恶意软件,但随着stolen credentials,由于一些事情,如弱域用户密码和存储明文密码。
所有这一切都似乎是更加弹药像FIDO联盟,已讨伐到组织避免使用密码完全自从四年前它的形成。该联盟一直没闲着,它希望将是不可抗拒的用户和服务提供商2个密码认证选项。
但即使有增加的这些选项兴趣和接受,布雷特·麦克道尔,FIDO的执行董事,已确认将有一个“长尾巴”密码使用。
这长的过渡过程中,他和其他人说,有多种方式,以提高安全性,不涉及创建新密码每隔几个月更易于裂缝比以前的。
Zach Lanier, director of research at Cylance, cites Apple’s TouchID and Google’s Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, “still around, and they’re likely to be for a bit longer. It’s just that they’re so ‘standard’ for people and enterprises, and have been for so long, that it’s really hard to make them completely disappear.”
In the interim, he said, organizations can improve their password security through a combination of employee training and, “actively testing their authentication mechanisms and auditing users’ passwords – cracking them – whether it’s through internal infosec teams or external firms. In my opinion, it should be both,” he said. “This can give the organization a better idea of where things are broken, from people to technology.”
可以将用户带入这个问题,以及,他补充说,通过“使得可用的工具来实现,如果不强制,用户测试自己的密码的强度。”
McDowell agrees that education is, “a laudable endeavor, especially to help users avoid falling victim tophishing和/或social engineering攻击“。但他表示,“共享密钥”身份验证模式很容易受到攻击的太多形式 - 不只是社会工程 - 因此,以尽快消除它们的需要。
Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. “Current policies set the bar far too low for complexity in passwords and don’t require multi-factor authentication, acknowledged as the best commonly-available solution,” he said.
Lanier agreed. “There are some really awful organizations, sites or services that can’t seem to move past the year 1998 with authentication,” he said.
“之类的东西不允许某些字符,或限制密码的长度,东西低得离谱,因为所有的开发人员,数据库管理员,和/或设计人员正在使用过时的或过时的机制。”
Pendergast said he sees the same thing. “There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules. A surprising number of companies don’t use these basic password reinforcement functions,” he said.
尼尔指出,“password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note. This at least reduces the risk that a person might serialize their password choices. Certainly not a panacea, but for the average person, it’s a great idea.”
[ RELATED:如何评价密码管理]
尽管如此,正如道尔指出,即使严格密码不能弥补一个人由熟练的攻击者欺骗。“很多时候,密码只是在网络钓鱼或社交工程攻击送人的,”他说。“我看到从SANS研究所最近的统计是对企业网络中的所有攻击95%是成功的鱼叉式网络钓鱼的结果。”
All agree that the weaknesses of human nature mean it would be better to move beyond passwords. But, as McDowell notes, human nature also requires that whatever replaces passwords must be, “easier to use than passwords alone.
“用户体验将会让关键是建立一个安全的密码更换系统是建立的易于使用到它的基础保障每一次险胜,”他说。
Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone.
“At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker,” he said.
这个故事,“定期更改密码使事情变得更糟”最初发表CSO .