The federal government this week got 1.2 billion new reasons why it needs to abandon single password security.
The New York Times reported Aug. 5 that Russian hackers stole 1.2 billion passwords, four times more than the population of the United States. Yet, the news was met with more or less of a collective yawn. Sure, it’s likely the biggest hack ever, but following the 50 and 60 million hack numbers from earlier this year, is it that much of a stretch? In any case, nobody seems particularly alarmed this time around.
But the federal government should be concerned. Even if government websites are not involved in this hack, every website is likely going to be vulnerable to attack now. If nothing else, those 1.2 billion passwords can be added to dictionary attack programs. If a federal employee’s password is the same (or even similar) to one used on a compromised site, then federal data is also vulnerable.
One quick solution might be requiring Personal Identity Verification and Defense Department Common Access Cards to be used for network access. However, although the cards have largely been issued to most feds, recent reports show that they are only sparingly used for network access. One of the biggest problems with the cards is the need for a reader to be installed at every access point, including those used by telecommuting and remote employees.
However, there is another method that could be used to add dual factor authentication to federal networks right away. I know because I use it when working with a defense contractor that does a lot of work with the federal government. Called one-time passwords (OTPs), it adds to the standard name and password protection used for most network access. What happens is that when I log into the contractor’s website, I enter my name and password as normal. However, that only gets me to a screen that lets me send a one-time-password to a device that I have already had approved, in this case my phone. I click send, and my phone gets a text with a long string of numbers. I then enter those numbers into the site and am granted full access. The numbers themselves are only valid for that one session and time out if not used within a certain number of minutes. In addition, the session itself times out if a period of inactivity is experienced.
Should someone hack my password, the only thing they would be able to accomplish is sending one time password texts to my phone. Besides alerting me to a problem, I’m sure the contractor’s IT security staff monitor for a high number of OTP requests that don’t get fulfilled. My phone is nothing special. I had to go through a vetting process with a real person to set it up for OTPs, but that was just to verify that I was who I claimed. The secondary passwords just come in as an unencrypted text to my phone. Even so, someone would need to steal my phone to try and access the site. If the lack of card readers is holding back the government from implementing robust two-factor authentication, then there are quite a few ways to get it done using existing gear. Everyone has a cell phone.
Not taking some steps to improve security in this environment is tantamount to helping the hackers.