the password problem

The Password Problem

The username and password have long been used to guard information, but cybersecurity breaches show just how vulnerable the paradigm is.

In September, attackers breached iCloud accounts belonging to celebrities such as Jennifer Lawrence and posted private photographs of the victims online. In August, news reports circulated of Russian hackers making off with 1.2 billion passwords from 420,000 websites. The Heartbleed virus, discovered in April, exposed private keys and passwords during user sessions. The list of breaches related to username and password theft goes on and on.

According to the 2014 Trustwave Global Security Report, two out of three security breaches in 2013 exploited weak or stolen passwords. Experts call for stronger, varied, and more complex passwords across different accounts, but others suggest doing away with the username password paradigm altogether.

"Usernames and passwords are basically broken from a security and a usability standpoint," says Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology (NIST). Grant is in charge of a federal program that is exploring new authentication concepts, called the National Strategy for Trusted Identities in Cyberspace (NSTIC).

Grant says the rules for creating a strong password are too much for any one person to manage across dozens or even hundreds of accounts–using uppercase and lowercase letters, incorporating symbols, and not writing them down, just to name a few. He adds that attackers are increasingly sophisticated at stealing passwords and often use automated machines to crack credentials. "There are so many different ways to execute password-based attacks these days that the notion of such a thing as a 'secure password' in the year 2014 just doesn't make sense," he tells Security Management.

Instead, says Grant, steering people toward stronger forms of authentication that are more secure, more private, and easier to use is a key focus of the NSTIC program.

Established by a presidential initiative in April 2011, NSTIC was designed to address the problem of insecure credentials for online identification by working with the private sector to develop new standards for identity technology. The program seeks to create a marketplace of solutions for establishing one's identity and gaining access to services without the traditional username and password, Grant says.

To work more closely with the private sector, NSTIC established the Identity Ecosystem Steering Group—industry professionals who have monthly meetings to talk about the program. Members include representatives from Citigroup, the American Civil Liberties Union, and LexisNexis.

Over the last three years, grants have been awarded to organizations that are trying different authentication methods, including biometrics, secure elements embedded in devices, and one-time-use passwords that are automatically downloaded from an app. 

One such pilot program, being conducted by AARP, uses biometric authentication for an app within the company's website. Another pilot is being conducted by, an organization that helps affinity groups, such as veterans, prove their identity online. This summer, worked with the theme park Sea World and the rock bands Kiss and Def Leppard, who all wanted to offer discounted or early ticket sales to veterans. Using grant money from NSTIC, the groups were able to ensure that all purchasers of discounted or early tickets truly were former military members. Grant says that eventually the Department of Veterans Affairs hopes to integrate the same technology within certain applications on its website.

Another pilot launching soon is with Inova Health System, the largest healthcare provider network in Northern Virginia. The company wants to offer patients the ability to access their electronic health records online, but as Grant puts it, the organization's chief technology officer was "wise enough" to know that a username and password would not provide the necessary security. So Inova is working with the Virginia Department of Motor Vehicles to create a stronger credential that ties in with driver's license registration. Those registered with the DMV would be able to authenticate themselves in a multistep process using a variety of secure credentials, including their driver's license number. Grant says the Inova pilot shows potential because it's "focused on letting citizens reuse the value" of what they went through to get a state-issued identification card.

In September, NSTIC announced the third round of pilot programs, which will award $3 million in grants. Though few details have been released, the official press release notes that the awardees, GSMA, Confym, and MorphoTrust USA, will focus on solutions that use mobile devices for authentication, minimize fraud-based loss, and improve access to state services. 

Grant says the problem with online identity has less to do with building the right technology and more with addressing the overarching issues that technology doesn't answer, such as privacy, liability, and usability. For example, how easy is the technology for consumers to use, and who is liable for a breach in the case of multiple businesses logging onto the same site? "What you're really dealing with at the end of the day is a bunch of issues that make the technology a secondary barrier to overcome," he notes.

He adds that NSTIC, as a government initiative, isn't meant to be a silver bullet to solve the password problem overnight. "At the end of the day it's a strategy," Grant says. "It lays out a vision of what this marketplace should look like in a few years." 

Until this strategy is formulated, companies must make do with the current system. Experts advise that the best way to strengthen passwords is to make them only a part of the security solution. "Use multi-factor authentication," advises Robert Twitchell, president and chief executive officer of Dispersive Technologies. He adds that it's a good idea to avoid the use of public Wi-Fi hotspots to access your networks and recommends network segmentation. "Having everything the same enables a hacker to reuse techniques," he notes.

Terrorists Finding Targets in Cyberspace

Since the 1990s, terrorist groups have used the Internet to spread their messages and gain new followers. Over time, they have only grown more sophisticated at leveraging this powerful tool. In the fall of this year, the Islamic State of Iraq and Syria (ISIS) used social media to recruit Western Muslim extremists; U.S. intelligence experts believe that at least a dozen Americans were recruited online and have joined their ranks. The group even hijacked hashtags of popular but unrelated topics on Twitter, such as an August earthquake in Northern California. Their strategy was to ensure that gruesome photos of dead American soldiers and other propaganda would pop up when people searched for "#napaquake." This same terrorist group has posted videos of the beheadings of two American journalists and a British aid worker on YouTube to threaten and intimidate its enemies.

"They can hide in cyberspace," said Gabriel Weimann, professor of communication at Haifa University in Israel, during a presentation at the Library of Congress in April. Weimann said terrorists can use the Internet "to reach huge audiences, especially young people.... There's no way to block them, no way to censor them." 

Research points to the expansion of terrorism in cyberspace. The number of terrorist websites has grown dra- matically in the last decade and a half, up from 12 sites in 1998 to 9,800 sites in December 2013, according to the United States Institute of Peace.

By using the Internet, terrorists no longer need to bring recruits to one physical location. "They can actually go to virtual camps in cyberspace where they'll find all the guidebooks, including how to prepare various poisons, how to hit planes, how to attack computer networks, how to damage a target with an explosive car, how to build a detonation device," said Weimann. "It's all online. They don't need to go anywhere. They can sit at home and join the cause."

Terrorism videos are also widely available online, and thousands of results can be found through a simple YouTube search. Hamas even launched its own versions of YouTube, including Aqsa Tube in 2009 and Pal Tube in 2011. These sites have the same look and feel as YouTube, but are strictly dedicated to the terrorists' cause.

Weimann, who is a fellow at the Woodrow Wilson Center, pointed out that Google Earth, which offers satellite images of the world, has been leveraged to plan and execute attacks, as was the case in the 2008 Mumbai bombing attacks. In that massacre, carried out by Pakistani-based group Lashkar-e-Taiba, each of the terrorists had the distances, directions, and sites on their computers or smart devices so they could attack at the same time, knowing when and where to go. 

In his presentation, Weimann also talked about the idea of narrowcasting, in which terrorists target groups based on age, education, demographic, and standard of living. "Instead of one message to all, they are moving now to a very specific and narrowcasting type of propaganda and recruitment online," he said of the terrorists.

"One example, and perhaps the most alarming, is the targeting of children online," said Weimann, who points out that children's shows are often used to send the message of terrorism to a younger audience.

For example, Hamas aired an episode of Pioneers of Tomorrow on Al Asqa in May 2014, which featured a child who said she wanted to become a police officer so she could "shoot Jews." A giant bumblebee is one of the show's main characters.

"If you consider that your struggle is a long-term one, you are thinking about educating the next generation of terrorists," noted Weimann.

Weimann said the lack of regulation on the Internet makes terrorism in cyberspace extremely hard to combat. However, maintaining an awareness of where the terrorists are online and who may be interacting with them is key to stopping them, and U.S. intelligence sources and others are doing this around the world.

There are also online campaigns to dissuade young people from joining the ranks of terror groups. One such video, which Weimann said is likely from a Saudi source, features a suicide bomber wreaking havoc on a busy town square. The name of the campaign is "Say No to Terrorism."

The State Department's Center for Strategic Counterterrorism Communication has been active lately in the fight against ISIS, posting lines such as "Think Again, Turn Away" to would-be extremist recruits on Twitter, Tumblr, YouTube, Facebook, and other social media sites.

 "We may think of using the same platforms to appeal to the same targeted audiences with different narratives," Weimann noted. "It is certainly one of the ways to counter terror issues on the Internet."