When nearly 1.5 million user login credentials were stolen from Gawker Media group and published online, the breach harmed security not only for Gawker but also for a number of other, unrelated websites.

Knowing that most people use the same username and password on multiple websites, spammers immediately started using the Gawker login credentials to try accessing accounts on other websites.

The result triggered a massive domino effect across the Web - hundreds of thousands of accounts on Twitter were hijacked and used to spread spam, and many large sites including Amazon.com and LinkedIn prompted users to change their login credentials to avoid fraud.

The domino effect is caused not only by poor password practices on the part of users but also by the weak authentication requirements on websites, which can actually encourage users' bad behavior. The only way to stop the domino effect on website security is for businesses to stop relying solely on passwords for online authentication.  

Finding a balance between competing forces

To achieve strong authentication on the Web, IT professionals must find a balance among three separate forces whose goals are often at odds: the cost and security needs of the company, the impact on user behavior, and the motivations of the would-be attacker. 

The goal of the business is to make website security as rigorous as possible while minimizing the cost and effort spent implementing security controls. To do this, it must take into account the behavior and motivations of both its users and the attackers.

In most cases, the attacker also conducts a cost vs. benefit analysis when it comes to stealing login credentials. The attacker's goal is to maximize profits while minimizing the cost and effort spent achieving the payoff. The more the attacker can do to automate the attack, the better the cost vs. payoff becomes.  That is why keylogging malware and botnets are still the most pervasive threats, while more sophisticated man-in-the-middle attacks remain rare.

The user also instinctively performs their own evaluation of costs vs. benefits and behaves in a rational way as a result. Although it's easy to blame the users for choosing weak passwords or using the same password on multiple websites, the reality is that creating a unique, strong password for every website is not a rational choice.

The cognitive burden of remembering so many complex passwords is too high a cost - especially if the user believes the odds of their credentials being stolen are small or that the business that owns the website will absorb any losses resulting from fraud.¹ Thus, the security advice about choosing strong passwords and never re-using them is rejected as a poor cost/benefit tradeoff. No wonder users continue to have bad password practices.

The motives of the business, the user and the attacker are often competing but they are all intertwined and IT security professionals should not think of them as separate islands of behavior. We must consider them all when developing an effective security strategy. The goal is to achieve the optimal balance, having optimized the cost/benefit tradeoff for the business, made the security requirements easy enough for users to adhere to, and made it just difficult enough for the would-be attacker that it is not worth their effort. 

Recommendations

The fallout from the Gawker Media breach demonstrates that the security of a company's website is affected by the security of every other website. You can't control the security practices at other companies, so you must implement measures to identify risk, add layers of authentication, and incorporate one-time passwords to stop the domino effect from spreading to your company's website.

Evaluate your business needs and consider the most common security threats: First, consider the industry in which the business operates. What type of data needs to be protected and why? What form would an attack most likely take? (e.g. Is an attacker likely to steal user credentials and sell them for profit, or more likely to use stolen credentials to access user accounts and commit fraud? Are you most concerned about stopping brute force attacks, or could your site be a target for a more sophisticated threat such as a man-in-the-middle attack?) Are there data security regulations with which the company must comply? Who is the user population - are they employees, business partners or the general public? How security savvy is the user population?

Conducting an evaluation of the business needs, the most prevalent threats and the user behavior will help determine the level of risk and how stringent the authentication requirements should be.  

Strengthen authentication without placing excessive additional burden on the user:  Any website requiring authentication should have at least the following basic security measures in place:

• Enforce a dictionary check on passwords to ensure that the user cannot choose a common word for their password.
• Require a strong username that includes a numeric character. Often the username is the easiest portion of the login credentials for a hacker to guess.
• Limit the number of failed login attempts. If a user fails the login three times, temporarily suspend the account until they authenticate through other means.
• If login failed, don't identify which user credential is incorrect. Stating that the 'password is incorrect' or the 'username doesn't exist' allows hackers to harvest account information. A general statement such as "Incorrect login, please try again" helps prevent account harvesting.
• Use SSL to create an encrypted link between your server and the user's Web browser during account enrollment, the login process and the password reset process.
• Provide users with contextual advice on how to choose a strong username and password. Research shows that users do choose better passwords when given advice on how to do so.

These steps may seem rudimentary to some readers, but a study conducted by researchers at Cambridge University showed that most websites did not even enforce these minimum standards.²

Tokenless one-time passwords for additional layers of authentication:  Use behavioral and contextual risk profiling tools and techniques to dynamically trigger additional layers of authentication. Identify device reputation, and evaluate the geolocation of the user's IP address and time of day that they are accessing the site. Also examine the frequency of the login attempts, which could indicate a brute force attack.

If a high-risk situation is identified, require an additional authentication step from the user. One-time passwords remain a good option for most websites. By creating a unique password or passcode each time authentication is needed, a one-time password solution strengthens authentication on the website even if the user chose a weak password, uses the same password on multiple websites, or unknowingly had their password stolen through social engineering or keylogging malware.

The growth of software-as-a-service makes it possible to deliver one-time passwords without using costly hardware tokens, key fobs or smart cards. For example, an image-based authentication approach prompts users to identify pictures that fit their pre-chosen categories. The pictures are different each time and have random alphanumeric characters assigned to them, which form the one-time password when the user identifies the correct pictures.  On-screen dynamic keyboards have also been used as a method to generate passwords.

SaaS one-time password solutions are well-suited to the business objective of increasing security with minimal cost (no need for hardware or infrastructure integrations) and are easy for the user (no need to carry tokens), making it more likely the user will adopt the stronger security practice. While one-time passwords won't stop a sophisticated, man-in-the-middle attack, they do stop the most common threats - making the effort difficult enough that most attackers will seek an easier target elsewhere.

Multifactor Authentication: Organizations requiring even stronger security on their websites should implement true multifactor authentication.

• Mobile authentication: The widespread use of mobile phones has made implementing multifactor authentication easier and more cost effective than in the past. The business sends a one-time passcode to the user's phone via SMS text message and the user types the code they received into the web page to authenticate. The user likely always has their phone with them, and the business avoids the cost and effort of purchasing, distributing and maintaining tokens or smart cards.

A drawback of delivering a one-time passcode by text message is that it's delivered in clear text. If the users' mobile phone has been stolen, a criminal can easily view the message and use the passcode to authenticate successfully.

One way to solve this problem is to deliver a type of authentication challenge to the mobile phone rather than a clear text code. For example, the business could deliver an image-based authentication challenge like the one described previously as an MMS message or via an application on the smartphone. The user would need to correctly identify their secret images (something the user knows) on the phone (something the user has) in order to successfully authenticate.

• Biometrics and Behavioral biometrics: Biometrics and behavioral biometrics are becoming viable authentication options. For example, laptops with built-in video cameras can be used for facial recognition. Fingerprint scanners are quite common in mobile and desktop environments. Smartphone applications can be used for voice recognition. Retinal scanners, palm-scanners and ear-scanners have all been used in biometric identification. However, drawbacks of biometric authentication include the need to maintain the equipment and 'body parts' to get accurate readings; biometric id data must also be stored in databases and is, therefore, susceptible to malicious theft and forgery.

Use of behavioral biometrics in authentication has been gaining in popularity. Behavioral biometric techniques include software that tracks the user's behavioral patterns such as keystroke speed and mouse movements. It has been demonstrated that these and other behavioral profiling techniques can help to successfully identify an individual user, especially when used as an additional authentication factor.

Conclusion

Authentication standards on most websites are woefully lacking. Relying solely on username and passwords puts the business, its users and its valuable information at risk. Not every business needs true multifactor authentication, but most businesses can benefit from implementing relatively simple security controls, such as adding one-time passwords. To develop the right authentication strategy, IT professionals must evaluate the security needs of the company and balance the cost/benefit tradeoff of stringent security with the impact on usability and user behavior, while thwarting the objectives of the would-be attacker.

User education is also critical for improving authentication security. Unless the user clearly understands the reasons for and personal benefits of additional authentication requirements, they will find ways to circumvent the policies.  

Finally, it's important to remember that 'security' is a process - IT professionals must continually re-evaluate the company's security needs, identify areas for improvement and make a security roadmap for future improvements. Incident response is critical - always have a contingency plan in place to help mitigate the damage as quickly as possible.

The website can never be 100% secure, but IT professionals should aim to be in the optimal zone that balances the costs with the benefits, helps its users and is strong enough to deter most attackers.

 ¹"So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" by Cormac Herley, Microsoft Research

 ²"The password thicket: technical and market failures in human authentication on the web" by Joseph Bonneau and Sören Preibusch