In preparation for HackWest, I was reading through some of the talks that will be given. One stood out to me as interesting: Sherrie Cowley’s talk on breaking multi-factor authentication. I wanted to see what strengths and weaknesses I could come up with about the different types. I’m sure much more research could be put into this, and I’m betting that Sherrie has done quite a bit. But here’s what I came up with.
Something You Know
This generally refers to passwords, so I’ll focus on that. Here are a couple of things that I feel are weaknesses of passwords:
- Password complexity policies are generally insufficient. Companies attempt to create complex passwords through requiring that they be at least eight characters, and include 3 of 4 categories, usually:
- Upper-case letters
- Lower-case letters
- Special characters (like !@#$%^&*()_+-=)
The problem here is that “P@ssword!” is acceptable to this policy. However, it’s probably one of the first words in a brute-force password list. If I had to pick between complexity and length, I’d pick length. Many are familiar with the XKCD comic:
2. As the comic suggests, people often pick passwords that are hard to remember, but easy for computers to guess. One thing that will help is to select a complete sentence. This way, you have a long password which also complies with the 3-of-4 rule, as set in point 1.
3. People often re-use passwords in multiple places. To solve this one, use a password management tool, such as LastPass or KeePass. Make sure you use a different password for each and every thing.
4. Passwords have to be stored. And even if they are hashed, that means that they can be dumped. In my opinion, the only effective way to store them is by using a salted hash. The salt does not get stored, but is computed and unique for each user.
Strengths I came up with for using passwords:
- Passwords can usually be changed rather easily. And I would recommend that you do. It’s not so much that someone will guess it, in my opinion. It’s that it may have been compromised through a password hash hack or something similar. I know that this happens all the time, because I have a database of 1.3 Billion dumped passwords. All I have to do is hash them however I want, and then compare hashes, and I have the original password. So, change it often.
Something You Are
This generally refers to biometrics. It includes things like fingerprints, retinal scans, facial recognition, or even DNA.
Here are some weaknesses that I came up with for this:
- The biggie here is that you cannot change them. If someone finds out how to replicate any of these, you have a big problem.
- It’s not as hard as you might think. Take a look at the following:
To be honest, I could not readily come up with strengths for biometrics, except that people think it’s hard to do, so they don’t try. But that one’s pretty weak, as we can see that it is easy.
Something You Have
This would be something like a private SSH key, a one-time-password, a physical key, or an RFID key. I felt like this was probably the strongest one.
Here are the strengths that I came up with:
- They are very easy to change. As a matter of fact, the one-time-password changes every 30-60 seconds. You lose a physical key, you do have to change the pins on the locks, but it’s doable.
- You do not have to remember anything. You just pull them out and use them when you need them.
- They are fairly difficult to figure out, especially the longer they are. If you use a 8192-bit RSA private SSH key, you are in very good shape. And you’d have to brute-force the one-time password in around 1.5 to 3 minutes. That may not be hard, but usually, it’s used as part of a multi-factor setup, which is what makes it very hard.
Weaknesses for this one:
- It’s only as good as the security you use to protect it. If you post your private key online, as Adobe recently did, well, that isn’t good. You have to keep it locked down.
- Physical keys are very easy to duplicate.
- RFID cards are very easy to duplicate.
- If you’re dealing with keyed locks, they can be easy to pick (but not always).
So, that’s what I came up with. We’ll have to see what Sherrie says on the matter.