Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Brute-force Attacks: Crossing the Online-Offline Password Chasm

Password Attacks

Password Attacks

Passwords are currently, and in the foreseeable future, our main method for online authentication. One of passwords most hated features is the complexity requirement that demands the password to have a minimum size, contain mixed-case letters, digits and special characters.

However, a new research paper from Microsoft Research claims that most of the complexity effort is in vain. In this column I’ll explain Microsoft conclusion and then take a look at two, newly presented solutions, to achieve truer password security.

The Online-Offline Password Chasm

Passwords needs to be strong enough to resist a guessing attack, often named a “Brute-force” attack. The brute-force attack comes in two flavors: online and offline. In the online mode of the attack, the attacker must use the same login interface as the user application. In contrast, the offline mode of the attack requires the attacker to steal the password file first, but enables an unconstrained guessing of passwords, free of any application or network related rate limitations.

Microsoft researchers had found out that “an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 106(1M) and 1014 (100T) guesses respectively.” As a result, having a not-so-complicated password such as “tincan24” that is “1M strong” (i.e. expected to survive a 1M guess attack) is as good as having a “1T strong” password “7Qr&2M”. Both are strong enough to survive an online attack, but expected to surrender under an offline attack. However, the latter password is much harder to remember.

Furthermore, by breaking down the use cases that necessitates offline guessing protection, the researcher were able to determine that “Offline guessing is a threat when the password file leaks, that fact goes undetected, and the passwords have been properly salted and hashed. In other cases, offline guessing is either unnecessary, not possible, or addressable by resetting system passwords.”

Password Attacks

Offline guessing is a threat only when the password file leaks, that fact goes undetected, and the passwords have been properly salted and hashed. Source: Microsoft

Therefore, putting the burden of crossing that eight orders of magnitude wide chasm on the shoulders of the users is both very inefficient and also immoral as it makes the users solves an application problem. By solving the password file leakage problem on the application side, the application can solve the offline brute-force hazard and relax the requirements on the complexity of the users’ passwords.

Advertisement. Scroll to continue reading.

Solving the Password File Leakage Problem

In order to prevent the password file from leaking to the outside world, it needs to be bounded to the application environment. The common solution, mentioned in Microsoft paper, is to encrypt each password and store the secret key in a Hardware Security Module (HSM). Since the HSM does not provide access to the stored secret key, password decryption can only take place in the application’s environment.

Recently two other innovative solutions to this problem were presented:

1. At Derbycon 2014, Benjamin Donnelly and Tim Tomes presented their “Ball and Chain (BAC) ” construction. BAC provides a method to artificially inflate the passwords file size and spread the password data securely across it, to make the exfiltration of it infeasible. For example, it would take an attacker at least a month to send a 2TB password file over a regular internet connection. Besides taking a long time, the large amounts of data being sent should raise a security flag.

2. Dyadic , a new Israeli start-up company, had revealed its Distributed Security Module. By using the cutting-edge crypto technology of MultiParty Computation (MPC), the DSM splits each password secret across several servers. The attacker needs to breach the security of all involved servers in order to reveal the password. Since the servers can have different access credentials and even operating systems it makes the attacker task much more difficult.

The Take Home Message

Since “passwords are the worst form of authentication except all those other forms that have been tried”, understanding their true pros and cons is highly relevant to the security of our systems. Therefore, defeating offline brute-force attacks should be addressed by the application through any of the aforementioned methods, and not to be handled as an extra burden on the users, via “password complexity”.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...