3
August 2015

Brute force bugs highlight the weaknesses of human generated passwords

Andy Harris

Passwords are one of the biggest threats to enterprise data security around today; barely a month seems to go by without another major news story reminding us of the fact. Most recently it was the discovery of new brute force password vulnerabilities which could allow attackers to crack users’ credentials faster and more easily. The pieces of research in question might apply to two very different computing platforms.

But they’ve proven again that enterprises need take password management away from the end user.

OpenSSH problems

The first report concerns a bug in the OpenSSH software commonly used to remotely log-in to internet-facing machines. A researcher self-titled Kingcope claimed that the vulnerability allows hackers to bypass built-in checks which limit the number of user log-in attempts to three or six tries before locking them out. Instead, it allows an attacker to make an unlimited number of password guesses within a two minute log-in “grace period” – greatly increasing their chances of cracking the all-important credential, especially if it were human generated.

“This will effectively allow up to 10,000 password entries limited by the login grace time setting” wrote Kingcope. “The crucial part is that if the attacker requests 10,000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.”

AppBugs everywhere

Another piece of new research found a not dissimilar bug in some of the world’s most popular Android and iOS apps. Researchers at AppBugs picked 100 such applications and discovered that more than half (53%) had a brute force vulnerability. Considering these apps have been downloaded an estimated 600 million times, the flaw exposes huge swathes of smartphone users to the risk of their mobile services being infiltrated by hackers.

“If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user generated passwords within 24 days” the firm concluded.

Time for change

So what’s to be done? Even if these particular bugs are patched it doesn’t change the fact that traditional password systems remain fundamentally flawed as an authentication mechanism. Users frequently think up easy-to-crack credentials which end up being reused across multiple accounts – a double security fail. IT managers, developers and platform providers should instead look to new ways of validating user identities which don’t require individuals to remember a password.

Osirium’s Privileged User Management platform does just that by separating the user and the password. We sit in the middle operating enterprise class password management – which means we use long, complex and randomly generated credentials. Each device has a completely unique password and they are regularly changed at random. It makes attempts at cracking via brute force or dictionary-based attacks absolutely pointless.

This kind of password management has an important role to play in all use cases, but none more so than that of privileged enterprise users. Far from being the lowest risk group in the enterprise, your IT department is increasingly being targeted by attackers in highly sophisticated covert attacks aimed at stealing your most sensitive corporate data.

If you haven’t considered bolstering enterprise security with Privileged User Management yet, now would be a good time to start.