The Linkedin Breach
Recently, Linkedin was the victim of a breach of over 6 million passwords. Breaching such a large number of passwords could allow the hacker to access all resources to which those six million users normally have access.
The SHA-1 algorithm was used to encrypt the passwords, but those passwords were stored with unsalted hashes. In simple terms, this is equivalent to using one single, unchanging encryption key for every password. Conversely, best security practice dictates that you use a unique encryption key on each password. Since the hash was unsalted, once one password becomes decrypted, all passwords immediately are rendered decrypted.
Using a unique random salting method for each password would make it much more difficult for attackers to breach the passwords but, given time and appropriate computing resources, virtually any password still would be decrypted.
The Solution: Two-Factor Authentication
One inexpensive method of providing a much higher level of security is to use ” two-factor authentication.” This is where the customer utilizes first, a physical item only he possesses; second, the customer utilizes something that only he knows, such as a password or PIN (personal identification number) code. An ATM bank card is one example of two-factor authentication; in which case, the bank card is useless to a thief without the PIN code, which only is known by the customer. Additionally, the PIN code or password alone is useless, without the accompanying ATM card.
Two-factor authentication provides a double-safeguard due to the fact that, even if someone compromises the user’s password (factor one), they still have no chance of accessing the user’s resources, because they do not have the physical “token” (factor two) that the user must possess in order to pass the second phase of authentication.
SecurID – Hard and Soft Tokens
The “token,” which embodies the second factor of authentication, can be in one of two formats: a “hard token,” such as a specialized access card (a SecurID card , for example), or a “soft token,” such as an installable certificate or installable software authentication agent.
In addition to possessing a hard or soft token , SecurID-based tokens have the added security feature of generating a unique, random pass-code every 60 seconds. This means that, even if an attacker happened to guess one of the constantly-changing random passwords, the attacker must enter that password in 60 seconds, otherwise it is useless.
Three-Factor Authentication
In most environments, the actual security model using a system such as SecurID would be considered three-factor authentication because, once you authenticate with the SecurID pass-code, you must then utilize your typical user ID and password to complete the login process (to Linkedin or Yahoo mail, for example).
The SecurID system utilizes seed records on a remote server, that are time-synchronized with a particular range of hard and/or soft tokens. The tokens themselves use the same hashing algorithms and time-based randomization used by the servers. Such synchronization requires that the system clock and the embedded clock on the token be considerably accurate and reliable.
Upon receipt of the token, the user follows a vetted token activation process, much like activating a bank ATM card or credit card. Each hard token also contains a unique serial number, which must be utilized, in conjunction with the randomly-generated pass-code on the token, in order to be properly authenticated.
Breached Passwords Won’t Matter if Linked-In & Others Use Tokens
Soft tokens utilize simple software agents and, therefore, could provide the various Internet social networks and email providers with a low-cost, low-maintenance method of vetting each user login transaction with a relatively high degree of certainty.
Such soft agents could be downloaded by (or to) the end-users electronically, using a stringent vetting process, possibly including a miniscule credit card payment of a few cents (much like that used by PayPal and Google’s AdSense).
A self-service token reset process (like “forgotten password” automation) could provide for minimal maintenance and upkeep on the provider’s end.
With such stringent authentication in place, breached passwords would be virtually useless to hackers, since two or more factors would be needed to be authenticated.
