United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by ReadyTechnology

WHY PASSWORDS ARE BAD

INTRODUCTION

  This article is directed at one specic aspect of personal Internet security that is the root of many other online problems—the password. While many other issues exist and deserve attention, the password is a fundamental issue that has been ignored for too long. If you just want a quick introduction to this issue, read the examples at the end, and then browse the rest of the evidence provided. It has long been known that passwords are not a secure way to authenticate an individual. However, most websites rely exclusively on passwords. Most users are unaware of the risks, or if they are aware of the risks, they use passwords anyway, because they have no choice. The evidence contained in this paper focuses on many of the issues relating to passwords—why they are not secure, why we still use them and what alternatives are available.

  The author is an experienced software engineer and consultant. His main field of business is IP telephony. He obtained his degree in Computer Science from the University of Melbourne, and has first hand experience in helping businesses avoid security risks, recovering from security incidents, liaising with law enforcement authorities in the wake of security incidents, delivering training to IT professionals and designing and operating secure web sites on a daily basis.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  Passwords are a serious threat to the security of the private individual. A password can easily be used without the owner's knowledge, in much the same way as an untrustworthy tradesman might take a copy of a spare key and use it long after they've returned the original. The problems relating to passwords have been well known since the beginnings of the study of Computer Science in the 50s and 60s.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  The problem is immense—virtually all "e-commerce" web sites, including retail/shopping sites, telephone company sites, webmail services, banking sites, auction sites and online payment sites use the password as the sole means of authentication.

  Recently, some banks have embraced more appropriate solutions, including digitalcertificates (which have the same level of security as the "Chip and PIN" system) and security "tokens"" which generate security numbers from a sequence that can not be predicted by a third party. Apart from a handful of banking web sites, virtually no other online service has moved beyond password authentication.

  The very nature of the problem means that the web site operator is unaware that their site is being accessed by an unauthorised individual. It is rarely possible to detect. For instance, a person may read their spouse's emails for many months, and the spouse will never realise, as nothing has been changed or deleted.

  If a password is misused for financial transactions, the victim may realise at the time they receive their next paper statement.

How well do users understand the nature of the threat?

  A small percentage of the population understands the problem, probably less than 30%.

  However, even amongst those of us who understand the problem, we have limited means of protecting ourselves.

  An individual who understands the problem would prefer not to do business with any web site that relies only on passwords. This individual would quickly find that there are very few web sites they can use. Therefore, the user's understanding of the problem doesn't actually help them.

  The operators of many e-commerce web sites are quite happy to continue providing services using passwords because the greater percentage of the population will simply use the service as it is, without questioning the security of their password. Many web site operators also feel that they need to make their service "easy to access" as this will increase their number of users and reduce the support costs. This means that the "easiest" solution is preferred over the "secure" solutions.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  Currently, the UK has a limited choice of schemes for online authentication of individuals. Most schemes are proprietary. For instance, HSBC bank issues digital certificates to it's own Business Internet Banking customers, including myself—these certificates are no use with any other online service. Under this arrangement, I would potentially have to keep a certificate for every one of 50 web sites I log in to—a real nightmare for myself, and impossible for someone who's knowledge of computer security is minimal.

  A preferable solution would involve a common certificate that could be used with any of the banks and other interesting web sites. The end user would only need a single certificate, no matter how many online services they wished to access. They could store this certificate on a single card, and carry it in their wallet.

  The trade-off is that the individual can only access the secured websites from a computer which has a "smart card" reader. This is not a significant challenge, as inexpensive "pocket sized" readers can be carried and easily fitted to the USB port of a PC.

  Another trade-off is that the user who loses or "blocks" their certificate (by damaging the card or incorrectly entering their PIN three times) will be unable to access any secured web site for a period of several days while awaiting a replacement card/certificate.

  One way to encourage this type of scheme (which should be run by the private sector, but to a standard endorsed by Government) would be to provide a security rating for "e-commerce" web sites. Businesses which trade online would need to satisfy certain criteria, including the use of strong authentication (something better than a password), in order to get the security rating. Just as consumers understand the ratings of movies, they could be educated to recognise the security ratings of web sites.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  The public is vaguely aware that computers have risks associated with them. However, people have bad habits (eg they often trust what they see in print, even on a web site) and they take risks—for instance, they are so keen to check if they have new email, that they will risk typing their password into an untrustworthy computer that may have a keystroke logger/spy software fitted.

  People are so concerned with enjoying the benefits offered by the Internet, that they seldom take time to understand the risks.

  Most motorists are probably not familiar with all the risks of driving their vehicle. Fortunately, MOT testing and regular services allow the motorist to drive with relative safety, oblivious to many issues that they might otherwise experience. In the computing industry, however, "security" products are often limited, mis-used and sold with profit as the main motive, and public interest as a minor consequence. Users who buy this software often find themselves nagged by constant reminders to "upgrade" (which has a price tag), so they often give upon the software after only a few weeks or months.

What factors may prevent private individuals from following appropriate security practices?

  Many individuals are under a great deal of pressure to do many things during their day. When they only have five minutes available to check their email, they will not be thinking about "how do I check if this PC has spyware", they will just go straight to the web mail site—and type their password.

  Furthermore, the fact that passwords are used as the standard means of authentication on so many sites means that many users who are unfamiliar with the risks will have a false sense of confidence in this form of security. Few web sites have a warning message on their login screen advising the user to "please check for a keystroke logger before entering your password".

  It is often said that users should:

    —  Use a different password for every every web site/computer that they access.

    —  Change every password regularly.

    —  Never write down their password(s).

  It's clear that with so many websites in popular use, the average member ofthe public can not easily practice all these rules. The average person may have to remember over 20 passwords—or carry a list of them all in their pocket. They need their bank password, their webmail password, their online phone bill password (for both their landline and mobile provider), their broadband password, their Wireless/Wifi network password, their auction password (eg eBay), a password for the computer system at their office and many more. Given all these passwords, the user will simply choose the easy option—using the same password for every site.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  Everyone is basically avoiding any responsibility—if they are even aware they have a responsibility. I recently met someone who had a degree in computer engineering and was oblivious to the issues relating to passwords. While Oxford and Cambridge are producing some very talented IT professionals, the vast majority of small business IT and computer systems, and websites, are produced by people with minimal knowledge ofsecurity issues. As the education sector rushes to provide greater and greater quantities of "work ready" graduates, they neglect issues relating to security and focus on specific hands on training in technologies that are in common use. This new class of graduate has been shown how to build web sites with "point and click" rather than with essential theory of computer security.

  Small business budgets often mean choosing the cheapest security option when designing a web site—passwords.

  Many software developers who are aware of the risks posed by passwords are afraid to stick their neck out, or they are satisfied to just give their boss the insecure password based system that he asked for. Avoiding controversy, they can get the job done more quickly and collect their pay cheque.

  Modern PC hardware and the most common PC operating system provides the user with little assurance that their keystrokes are truly private. However, it only costs £15 to attach a smart card reader to the PC's USB socket. The PC can then easily and securely perform authentication tasks using secure digital certificates.

Who should be responsible for ensuring effective protection from current and emerging threats?

  The providers of online services have a significant role to play, particularly the banks and popular online webmail services. Were they to set standards for online security, smaller businesses and web site operators would then follow suit, for two reasons:

    —  because they would have an example to follow, and would not want to appear "behind the times" or careless about security; and

    —  because individuals would become more aware of the stronger means of authentication offered by digital certificates, and many individuals would then become reluctant to engage with web sites not supporting that type of security.

What is the standing of UK research in this area?

  The issue is well beyond the point of "research". Practical solutions already exist, and are used already in niche sectors or proprietary systems. For instance, "Chip and PIN" has already been implemented successfully for cash machines and in-store payments—it simply needs to be brought to the Internet.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  In the case of passwords, governance has not yet played a part. Government could play a role in several ways:

    —  By example—using certificate based security for all e-Government services, exclusively, and refusing to procure from any supplier who relies on a password based web site.

    —  By setting rules or endorsing standards—for instance, a standard that all "e-commerce" web sites must meet for user authentication.

    —  By focusing on "high-risk" sectors that are already regulated—for instance, finance. Financial institutions have chosen to make their web sites "easy" rather than completely "secure", as they want to increase the number of customers who use the site, and reduce the cost of providing technical assistance to customers. They have chosen to give customers services that are "convenient for the masses" rather than services that are secure. As these institutions are regulated and licensed, they could potentially be directed to improve their performance in this area, with or without specific regulations. If a customer is unable to understand the security technology, then it probably isn't appropriate for the bank to be forcing that customer online in the first place.

How far do improvements in governance and regulation depend on international co-operation?

  The standards for digital certificates already exist on an international basis. Numerous products in this field are already marketed internationally.

Is the regulatory framework for Internet services adequate?

  It is adequate for punishing people after something goes wrong. However, it doesn't create the impetus for businesses to tighten up their web site security.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  There are several barriers:

    —  Different levels of understanding within the IT community—many IT people are simply happy producing the web sites and systems that they get paid for. They won't change their practices unless there is a strong commercial reason for them to do so.

    —  Many businesses simply trust the advice of their IT staff or consultants, without testing that advice. Businesses need to have independently specified standards that they can rely on when they give direction to their IT staff/consultants/web developers. If a business decision maker doesn't know what to ask for, he will usually be given a solution that is not particularly secure.

    —  Co-operation between businesses—businesses who operate online need to be willing to trust one or more common "certificate authorities" who issue digital certificates to private individuals. However, this is not a major challenge, as the certificate authorities already provide SSL certificates to many web sites.

EXAMPLES OF PASSWORD ABUSE

  The information presented here is not intended to be performed or duplicated by the person reading this document. This information is presented in the hope of educating the public about the risks of passwords.

KEYSTROKE LOGGER HARDWARE

  A keystroke logger is a small piece of hardware that is attached to the keyboard cable. It records every key stroke pressed and released. The person who controls the device is able to retrieve a log of all the keystrokes since the device was fitted.

  Example usage:

    —  Purchase keystroke logger from web site or online auction.

    —  Select a PC that will be used by the intended victim.

    —  Detach the keyboard.

    —  Attach the keystroke logger to the keyboard cable.

    —  Attach the keystroke logger to the PC.

    —  Allow the victim to perform their usual tasks, eg accessing email.

    —  When the victim is gone, remove the keystroke logger.

    —  Attach the keystroke logger to another computer.

    —  Install the software for readingthe log.

    —  Review the list of keystrokes on the screen. Identify usernames and passwords.

    —  Use the passwords to gain access to the victim's email, etc.

ANALYSIS

  It should be obvious that the above procedure requires no special training or signicant technical understanding.

KEYSTROKE LOGGER SOFTWARE

  Keystroke logger software operates in a similar way to the hardware device. The software is installed on the computer by the perpetrator. They can then use another computer, anywhere on the Internet, to see what is on their victim's screen, and to see which keys the victim is pressing.

  The procedure is as follows:

    —  Obtain keystroke logger/screen grabber software.

    —  Install the software on victim's computer, or a computer the victim is likely to use.

    —  Make a note of the IP address of the victim's computer.

    —  Install the monitoring software on another computer.

    —  Run the monitoring software, and specify the victim's IP address.

    —  The monitoring software will display the victim's current screen and keystrokes as they take place. It may also allow the victim's keystroke history to be inspected.

  The use of the keystroke logger/screen grabber software is a superior alternative to the hardware logger, for the following reasons:

    —  The screen can be viewed—this means that security systems that require the user to "click" a number can also be breached.

    —  It is not necessary to return to the victim's PC to retrieve data.

    —  Data can be accessed in "real time"—while the victim is using the PC, instead of afterwards.

ANALYSIS

  The software for committing such crimes is easily obtainable online. It can then be carried around on a CDROM or "pen" drive.

  The victim may be able to protect themselves by using a secure BIOS, secure operating system (eg UNIX) and requiring a password to be entered by anyone who installs new software.

WEB SITE EXAMPLE

  World Wide Widgets Ltd (a fictitious name, we will refer to them as WWWidgets) sells widgets through their web site.

  Wendy works for WWWidgets, maintaining their website and database.

  Wayne, a customer, creates an account on WWWidgets' web site.

  He chooses a password—the password is transmitted securely to WWWidgets using SSL. The SSL encryption ensures that no eavesdropper is able to see the password while it passes through the Internet company's network.

  The password is received and stored, without encryption, in the database designed by Wendy.

  Wicked (that is not his real name, but his "screen name") breaks into WWWidgets' office and steals their computer. After all, it is easier to break into a small company than a bank.

  Wicked finds Wayne's email address and password in the database. Wicked uses this information to access a well-known online payment service, where he purchases £500 of goods from online stores, using Wayne's credit card details. Wicked finds that he is able to de-fraud over 1,000 people in this way, using passwords from WWWidgets' database.

  It takes WWWidgets four days to realise the risk to their customers, and another seven days of internal management debates before they decide to warn customers. By this time, Wicked is untraceable.

ANALYSIS

  Wayne was at fault: he used the same password on the WWWidgets site and the online payment company's web site.

  Wendy was also at fault: she stored the passwords without encryption. Using an algorithm such as MD5 to encrypt passwords would have made Wicked's work much harder or impossible.

  The online payment service is at fault: they accept the password as the single method of authentication, and then allow the user having the password to execute transactions using stored credit card or direct debit details.

CONCLUSION

  The information here will hopefully contribute to public understanding of the risks posed by the use of passwords for online authentication.

  Passwords are the root cause of many other problems in computer fraud, including the practice known as "phishing". Obtaining passwords and/or credit card numbers (which are also disgracefully vulnerable) are some of the main reasons for hacking or stealing computer equipment.

  If no physical trespass has occurred, then it is possible that the theft of passwords may not be detected until long after subsequent crimes and abuses of privacy have been committed.

21 October 2006

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007