In Heartbleed’s Wake: A Password Primer
by Christie Terrill, on Sep 16, 2014 10:05:11 AM
Passwords are the most commonly required authentication for website and email access, and they are effective when they work as designed – to prevent unauthorized access to an account or system. The Heartbleed vulnerability disclosure in April 2014 put the topic in the national spotlight, but the concerns about password security are no less diminished in light of the Apple iCloud incident and the news of the outdated Gmail password disclosure.
In the wake of multiple published security incidents revolving around passwords, it is helpful to revisit how implementing leading practices can minimize the impact of seemingly inevitable password compromise.
Heartbleed in Review
Heartbleed is a vulnerability in the encryption software OpenSSL. OpenSSL is a common way to serve the SSL/TLS protocol, which is one of the most common communication security methods on the Internet. The vulnerable versions of OpenSSL expose system memory to anyone with access to services that used OpenSSL encryption. This system memory can include any information contained on the server, including private encryption keys, user credentials, and any other information that the server accessed or stored. What makes Heartbleed so impactful is the combination of the sensitivity of the data exposed, the ease of exploitation, and the difficulty of detection.
How Heartbleed Affects Your Passwords
Applications use memory to store information while they are running. The information that is stored in memory includes things like logins and passwords, authentication information, and other information used in the operation of the application. Heartbleed allows access to memory due to a vulnerability in the OpenSSL heartbeat functionality, which enables users to submit a small, unique value to verify that the service is running.
Due to a lack of server-side verification, an attacker could specify that their heartbeat value was significantly larger than it actually was. This causes vulnerable versions of OpenSSL to serve both the heartbeat value requested and the contents of the memory after the heartbeat value.
Heartbleed’s password exposure is a slightly different threat from the typical online and offline attacks:
Method of Exposure:
- Online Attacks: Attacker cracks or fakes the users' login credentials. Attacker may also use security questions to reset the user's password without his or her knowledge.
- Offline Attacks: Attacker breaks into a secure environment, and steals a set of data, like hashed passwords and usernames, stored on a database or server. Attacker then uses tools to crack the list of passwords.
- Heartbleed: Passwords, encryption keys, and other sensitive data stored in memory are exposed.
Commonly Used Tools:
- Online Attacks: Internet searches to find answer to security questions, automated Web login tools
- Offline Attacks: Hashcat, or other password cracking tools to crack the list of hashed passwords
- Heartbleed: Tools built to exploit Heartbleed, such as those present in the Metasploit framework
Heartbleed is concerning because it allows the leaking of several types of information: pre-authenticated tokens that can be used to effectively impersonate a user without ever going through a login prompt, private keys that can decrypt encrypted data, and username and password combinations. As the solutions to the other problems are mitigated on the server, let’s focus on how the compromise of passwords affects users.
Passwords Are the Lonely Factor
Passwords are so commonly used as the primary protection factor for user accounts that people often take their purpose for granted. Ideally, passwords represent something that you, and only you, know and that others can’t easily guess. But it’s much easier for the typical user (think of your mom or your Uncle Jim) to use the same password on multiple sites or to have an “easy to remember” (and often easy-to-guess) password. The strongest passwords are:
- Unique per site
- Long (ideally, the maximum allowed in the password restrictions)
- Difficult to crack due to complexity
The best way for a user to have strong passwords is to use a password safe that can help you generate random passwords of a specified length and keep track of which passwords are used on which sites. This increases usability and security. If you do need to write down your passwords for some reason, keep them in a safe, physically secure location.
Despite all the efforts to create strong passwords, you would still have been vulnerable to Heartbleed for sites using vulnerable versions of OpenSSL. However, if you use unique passwords per site, you can prevent compromise of one site leading to account compromise on others. A longer password can also increase the amount of time it takes an attacker to crack a password if they manage to access a database of passwords stored as hashes.
Authentication can test three things: something you know, something you have, and something you are. Passwords are simply one type of authentication, testing something that you know.
|Something You Know||Your password or previously provided answers to security questions|
|Something You Have||A credential you receive through a physical, virtual token or a credential texted to your phone|
|Something You Are||Biometrics, such as a fingerprint|
Each of these authentication factors can be compromised individually – a token can be stolen; a password can be cracked or exposed; and biometrics, though unchanging, can be impersonated. It is more difficult to compromise two or more factors at the same time.
The most common two-factor authentication in a corporate environment combines passwords with tokens, such as RSA tokens. For consumers, two-factor is commonly the pair of a user-defined password and a one-time password communicated via a device you already own, such as your mobile phone. Google already offers this through 2-Step Verification, which occurs when you log in from a new device or location. Google prompts you to enter the second form of verification that is sent to your phone or shown in Google Authenticator.
Heartbleed was an incredibly damaging vulnerability because it effectively subverted any services that used encryption, allowing attackers to directly access authentication tokens without needing to know passwords or login information. However, users can help prevent a single site compromise leading to widespread exposure across their digital identity by following the leading practices below:
Do not reuse passwords across multiple sites: The number of data breaches including password information is on the rise, emphasizing the importance of not reusing the same password on multiple sites. Use a password safe such as KeePass or LastPass to manage your account credentials. Not reusing passwords means that even if a site you use is vulnerable to something like Heartbleed, leaked credentials will not allow attackers to access other sites you use.
Do not create passwords that only meet the minimum requirements: Most sites will give you a range of characters for your password parameters. Always create a password that meets the maximum number of characters allowed – randomly generated by your password safe. This helps protect against both online and offline attacks.
Use two-factor authentication whenever offered: Many services still only allow single factor authentication, but for Google, Facebook, and many other common websites, two-factor authentication is an option. You can link your account to a phone number via SMS, or use a program on your phone to receive a unique value to enter when you log in from a new device. They also typically offer multiple options for recovery if your phone or second factor of authentication is lost.