Two weeks ago, hackers were able to compromise the password of the Associated Press Twitter account, allowing the hackers to send out fictitious tweets to all of the @AP followers. These tweets falsely reported that a bomb had exploded at the White House and that the President was injured, which sent financial markets into a brief but startling tailspin. Once the market recovered, I was left marveling at the power of a single compromised social media password. If nothing else, the AP Twitter hack re-exposes one of the persistent challenges to security – the large-scale overdependence on passwords as the sole method of identifying a user and granting permissions.
Passwords are the ultimate goal for many hacking operations regardless of their sophistication. The latest Verizon Data Breach Investigation Report (DBIR) showed just how broad the problem is, reporting that 76% of all breaches were tied to weak or stolen credentials. Weak passwords were also the targeted of a large-scale attack against WordPress accounts, where remote attackers recruited more than 90,000 servers to brute-force the passwords of WordPress admin accounts.
However, it’s important that we address the reality that strong passwords can’t be the only answer. While Twitter scrambles to add support for two-factor authentication, they reached out to journalists to provide some advice to keep them secure in the interim. Some of that advice was good, but some of it struck me as actively wrong. In particular, Twitter recommended journalists use strong, randomly generated passwords and to store those passwords in the web-browser’s password manager.
To me, this is rather troubling advice. Malware is highly skilled at finding, decrypting and stealing passwords stored on a victim’s machine, particularly the browser. In our latest analysis (PDF) of undetected malware, we observed that stealing passwords from the web-browser was the #1 most common hacking and data theft behavior observed in malware. This is precisely why banking and financial sites prevent customers from automatically filling passwords into their sites. Furthermore, banking trojans like Zeus and Andromeda will hide in browsers for the purpose of capturing users’ logins.
The thing to remember here is that if the browser can see the password and put it into a form, then malware can see it (and steal it) as well. In short, Twitter is telling people to move to a password that is difficult for you to remember and then store it in the place that malware is the most adept at stealing it.
Secondly, it shouldn’t require extremely strong passwords to prevent a brute-force attack on a password in the first place – it should simply require not using an obvious password such as ‘password123’. And, any running web-based application should be able to recognize a string of failed login attempts and lockout the user or account. Strong passwords are most valuable for protecting hashed passwords in the event that the database of user passwords ever gets stolen. The more complex the password, the more guesses are required to determine the real password from the hashed value. But the big difference here is that this hacking happens on data that is already stolen. The attacker has the database and can try millions of combinations indefinitely until he finds the right one. Conversely, an attacker should never be able to try millions of password combinations on a running application. The application should see several failures and lock down.
And this is a problem that in no way is limited simply to journalists using Twitter. State, local and federal government are adopting social media and Twitter to communicate with the public. Universities have adopted Twitter as one of the methods for communicating with students in an emergency. And even if the focus remains purely financial, most public companies use Twitter as well. It’s easy to conceive that a well-timed hack could have a market moving effect that criminals could take advantage of.
All of which simply underscores the importance of social media applications adding capabilities to make themselves more secure. By all accounts, Twitter is rapidly developing support for two-factor authentication, and once its available it will be a welcome enhancement that enterprises should take advantage of. However, in the interim, it’s probably not the best idea to simply put more of our eggs in the browser if we are concerned about the security of a web application.