Recently, Dashlane released its quarterly Personal Data Security Roundup (PDF), which examines the “illusion of personal data security in e-commerce,” noting that consumers increasingly share personal and payment information with online retailers, and the only thing standing between that data and criminals is a mere password.
The problem is that most likely, those passwords are not sufficient to stand up to attackers. The Dashlane report, which assesses the password policies of the top 100 e-commerce sites based on 24 password security scoring criteria, has a lot of analysis about password security on commercial web sites.
The key findings include:
55% still accept notoriously weak passwords such as “123456” or “password”
51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy, Macy’s and Williams-Sonoma)
64% have highly questionable password practices (receiving a negative total score in the roundup)
61% do not provide any advice on how to create a strong password during signup, and 93% do not provide an on-screen password strength assessment
Only 10% scored above the threshold for good password policies (i.e. 45 points or more in the roundup)
8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email
Tim Erlin, Director of Product Management at Tripwire, took some time to review the data in the report and said he believes the weak password requirements on most e-commerce sites is an example of something that is fundamentally wrong with information security in general, and files it under the category “failing to connect security to the business.”
Take this paragraph from the Dashlane report for example:
“In addition to permitting weak passwords, a number of e-commerce sites do not lock users’ accounts after repeated failed access attempts. Numerous sites, including Amazon and Dell, allow uninterrupted normal login attempts even after 10 incorrect password entries. One of the easiest methods hackers use to break into an account is the automated entry of commonly used passwords. Restricting account access after multiple incorrect entries is a simple way to curb this tactic.”
Erlin points out that there is nothing in the report that actually validates, with real data, that this method has ever been used in a successful attack that compromised consumer data.
“I’m not saying it’s not true – I’m saying that the authors don’t substantiate this as a primary attack vector in the report,” Erlin said. “Moreover, by identifying two successful businesses that engage in this behavior, the argument that it’s risky to the business is undermined. I suspect that Amazon made a conscious choice not to lock accounts after retries, and that that decision was based on money.”
Here’s another example paragraph Erlin took note of in the report:
“The danger with a weak password policy is that it leaves users’ personal data vulnerable. The weaker the password, the easier it is for hackers to break into an account. Therefore, sites with lenient password policies are leaving their users exposed to greater risk.”
Erlin believes this paragraph is much closer to the mark in regards to connecting a specific technical issue with a possible consequence that matters to the business, but it still misses the most interesting point entirely.
“Compromise of the users’ data appears to have little effect on the success of the business itself,” Erlin said. “User credentials are a low value asset in this context – perhaps a high value asset for marketing purposes, but only in aggregate. This just seems like it rehashes an awful lot of ‘everyone knows this is bad’ logic, i.e. argumentum ad populum.”
Dwayne Melancon, Tripwire’s CTO, said he thinks Erlin’s observations are valid, agrees that the report misses the mark, and also concurs that the issue is far more than weak passwords and unlimited login attempts.
The roots of a lot of breaches Melancon has been studying include some common elements:
Companies not storing passwords properly, thereby allowing attackers to harvest credentials easily.
“As Erlin says, these are low value assets in general, but when combined with the next point, the situation gets more interesting,” Melancon said.
Users who re-use the same password on pretty much every site for which they create an account.
“Now, if a criminal can gain access to Gawker account credentials and use those same email / password combos to get into accounts for Paypal, Amazon, etc. then you’re on to something,” Melancon continued. “These two factors are a big part of most of the breaches that have impacted individuals in the past.”
Of course, another password-related factor is rearing its head lately: Corporations who use shared or common credentials for a large number of high-value assets.
“We’ve seen that this was a key factor in the Target breach, and we believe it will likely show up as an exploited vector in other retail breaches,” Melancon said. “In fact, Target scored very well in this report from a web login / end user credential perspective, but it was weak internal passwords that enabled a mega-breach.”
Melancon points out that many of these risk factors are easy to identify through normal vulnerability scans and automated configuration assessments. However, the problem is much bigger than password strength policies and limiting login retries.
“It’s time to zoom out and look at this problem holistically, as well as come up with a better way to handle authentication and credential management in today’s world,” Melancon concluded.
Cross Posted from Tripwire's State of Security
Copyright 2010 Respective Author at Infosec Island