The Password Is Dead: Long Live…Anything Else!

Executive Summary

[read time: approx 1.5 min.]

Passwords by themselves are no longer sufficient for protecting your information and UVM’s information from everyday attacks. UVM is moving to require multi-factor authentication (MFA) to protect the most critical information at first, and all of the university’s online assets in the long run.

This means that logging into certain online services provided by UVM’s Enterprise Technology Services (ETS) will require something in addition to your password, similar to many online banking applications. ETS is starting this process with PeopleSoft in October and November of 2016. A very simple, free smartphone app called Duo Mobile is the recommended method (really, the only one which will scale to the size of UVM’s entire population) and is anticipated to satisfy the needs of the vast majority of UVM users. There are other options; they’re reserved for cases where use of the Duo Mobile app is impossible or its use otherwise presents extreme hardship.

The Details

[read time: approx. 8 min.]

For a long time and for a lot of people, “information security” has meant of a stream of Don’ts* and basically only one Do: Create a “strong” password and keep it secret. This approach meant that we IT professionals had to repeatedly connect with our public (something we know you love) as the threats evolved and the definition of “strong” evolved with them. Until now, this translated into ever-more-complicated requirements resulting in a completely unmanageable stable of passwords for accessing your digital life. And maybe “stable” is the wrong word, since one of those requirements is that you change most of your passwords at varying intervals. It drives you crazy, it drives us crazy, and in the modern era the password doesn’t even do what it’s supposed to any more.

* Don’t open that email. Don’t click on that link. Don’t visit that website. Don’t …, don’t …, etc.

What is a password supposed to do, anyway?

My password is a little secret, shared only between me and some computer service, which is supposed to prove that I am who I claim to be.

That’s it.

I show up at some speakeasy on the internet and knock on the heavy steel door. The bouncer inside slides that little metal peep cover aside and says (in a 1920s Bronx accent), “Who’s dere?” “sthooker,” I say. “What’s the passwoid?” she asks. “******************,” I respond. (Clever, right?) And if that is in fact sthooker’s password, I’m in. And everybody inside thinks I’m sthooker. What could possibly go wrong?

Aye, there’s the rub.

Our little speakeasy analogy is slightly flawed: First, there’s no intelligent human bouncer who could recognize my appearance through that peephole or recognize my voice through the door. It’s more like I slip a punch card under the door containing “sthooker” and “******************” and a computer rather undramatically either opens the door or doesn’t. Also, the establishment is no longer a speakeasy; now it’s a Special Library containing every piece of information — academic, financial, personal, and health-related information pertaining to myself and anyone else — that I handle in my role at UVM.

And now we come to the problem with passwords: Anybody else with the same punch card can show up and enter the Special Library claiming to be me. And our bouncer can’t tell the difference.

Put another way: My password is reusable. This means that if someone captures my password — whether by infecting a device of mine with keystroke-logging malware or by tricking me into revealing it to them — they can use it over and over again, just like I can. That’s right: It doesn’t change often enough. (I know — we make you change your password once per year, and that’s too often.) But in order to effectively counter current threats, the password would need to change every time I used it.

That sounds like a lot of work. Besides: Who would pretend to be me?

Perhaps disappointingly, it’s probably not about you or me, per se. Our UVM NetIDs give us access to a number of Hot Commodities. Commodities like…

  • …private information about us, some of which could be used to fraudulently open financial accounts in our names (remember the Special Library?);
  • …the ability to see and change where our paychecks are deposited (if you work here; this includes student employees);
  • …some or all of our academic and research data;
  • …private information about other people (students under our tutelage, employees in our charge);
  • …a reputable spot on the US internet, which is useful if you’re a criminal operator attacking American networks or American businesspeople. (Yes, the Bad Guys frequently hijack UVM accounts just so they can turn around and victimize someone else, somewhere else.)

This is quite a potential trove, considering the relative ease of acquiring someone’s password.

So this is serious. How do we fix it?

Easy: We tell our bouncer to demand something else in addition to a password before she believes anything the person knocking on the door says.

Oh! Like “Security Questions”?

Not exactly. Security questions suffer the same weakness as passwords: They’re both something I know which does not change (often enough). What we really want is for our additional element of proof (called an authentication factor) to be something I have, or even something I am so that even if someone captures that Something I Know (the password), they can’t get in without having the Something I Have or being the Something I…well, me.

In implementing multi-factor authentication (MFA) we’ve increased the amount of work the Bad Guys need to do in order to access my Special Library: Perhaps they’ve already done some work (albeit only a little) to get that Something I Know, but now they have to either acquire the Something I Have or convincingly impersonate me*. These days, the Bad Guys are in business, and now it suddenly costs more to access my Special Library — especially considering many criminal gangs operating in this space seem to be based overseas. It may be cheap for them to send a few emails and phish my password, but it’s probably much more expensive to send someone to steal something from me (such as my smartphone). At this point, most run-of-the-mill Bad Guys move on to softer targets. This is not to say no one will ever expend significant effort to target you specifically, but the likelihood is lower (see ego-deflating “it’s not about you” commentary, above) and information security is a game of reducing or minimizing risk; we can very rarely eliminate risk entirely.

* We’re not talking about accents and disguises, here; they’d need to “impersonate me” in a way that computers care about — mostly high-contrast features of my person which sensors can pick up in either the visible or infrared spectra, e.g. the patterns of blood vessels in one of my hands or on one of my retinas. Read up on biometric authentication for more information.

Additionally: Recall that the main problem with the password all by itself is that it it reusable. It would be best if our second authentication factor took care of changing itself after each use. The Duo smartphone app does this for me. It’s something I have, and there are machinations behind the scenes which ensure each access token is usable only once. In other words, if someone somehow intercepts my password and my Duo access token as I’m using them, they can not use what they’ve captured over and over again to access the Special Library.

So I can ditch my password now and just use this other thing?

No, not yet. If we did that, someone with the means to steal (or even borrow) your phone could access your Special Library using only Duo Mobile. You want (at least) two factors working together.

Can’t I just do “Security Questions” instead?

Nope.

Drat.

Sorry.

So, this is it, right? Problem solved, right? No more annoying security things to do after this one?

Sadly, it’s not likely to be the great Eternal Security Silver Bullet everyone hopes for. (Nothing is.)

Multi-factor authentication improves our protections tremendously over the lowly (and lonely) password, and will probably be enough of a deterrent to drive cost-conscious Bad Guys away from you and UVM (for now) in search of easier pickings. But defending UVM’s community from these attacks mirrors any other parasite-host relationship: As we (the host) improve our defenses, the Bad Guys (the parasites) will improve their attacks. As a famous monarch once said, “Now, here, you see, it takes all the running you can do, to keep in the same place.

Is there anything else I need to do?

If you don’t already have a strong passcode or biometric (like the fingerprint readers on various Android devices or Apple’s TouchID) protecting your mobile device, now is the time. Additionally, Duo Mobile defaults to allowing anyone in possession of the device to approve login requests without unlocking that device: It would be prudent to disable that feature.

Finally: Be suspicious of any Duo request that shows up when you’re not expecting it. That could be a sign that someone, somewhere has captured your password and is trying to use it right now. Your last line of defense between that Evil-Doer and your Special Library is Duo Mobile’s red Deny button. If you Approve unexpected requests, you could be letting the Bad Guys in — and all this work was for naught.

ETS’s official documentation on multi-factor authentication is available at https://go.uvm.edu/mfa and https://go.uvm.edu/mfafaq.

If you have questions or concerns, email them to iso@uvm.edu.

Sam Hooker, for the Information Security Operations Team

Comments are closed.