How to Strengthen Website Authentication
When nearly 1.5 million user login credentials were stolen from Gawker Media group and
published online, the breach harmed security not only for Gawker but also for a number of other,
unrelated websites. Knowing that most people use the same username and password on multiple
websites, spammers immediately started using the Gawker login credentials to try accessing
accounts on other websites. The result triggered a massive domino effect across the Web - hundreds
of thousands of accounts on Twitter were hijacked and used to spread spam, and many large sites
including Amazon.com and LinkedIn prompted users to change their login credentials to avoid fraud.
The domino effect is caused not only by poor password practices on the part of users
but also by the weak authentication requirements on websites, which can actually encourage
users' bad behavior. The only way to stop the domino effect on website security is for businesses
to stop relying solely on passwords for online authentication.
Finding a balance between competing forces.
To achieve strong authentication on the Web, IT professionals must find a balance among
three separate forces whose goals are often at odds: the cost and security needs of the company,
the impact on user behavior, and the motivations of the would-be attacker.
The goal of the business is to make website security as rigorous as possible while minimizing
the cost and effort spent implementing security controls. To do this, it must take into account
the behavior and motivations of both its users and the attackers.
In most cases, the attacker also conducts a cost vs. benefit analysis when it comes to
stealing login credentials. The attacker's goal is to maximize profits while minimizing the
cost and effort spent achieving the payoff. The more the attacker can do to automate the attack,
the better the cost vs. payoff becomes. That is why keylogging malware and botnets are still
the most pervasive threats, while more sophisticated man-in-the-middle attacks remain rare.
The user also instinctively performs their own evaluation of costs vs. benefits and behaves
in a rational way as a result. Although it's easy to blame the users for choosing weak passwords
or using the same password on multiple websites, the reality is that creating a unique, strong
password for every website is not a rational choice. The cognitive burden of remembering so
many complex passwords is too high a cost - especially if the user believes the odds of their
credentials being stolen are small or that the business that owns the website will absorb any
losses resulting from fraud. Thus, the security advice about choosing strong passwords and
never re-using them is rejected as a poor cost/benefit tradeoff. No wonder users continue to
have bad password practices.
The motives of the business, the user and the attacker are often competing but they are
all intertwined and IT security professionals should not think of them as separate islands
of behavior. We must consider them all when developing an effective security strategy. The
goal is to achieve the optimal balance, having optimized the cost/benefit tradeoff for the
business, made the security requirements easy enough for users to adhere to, and made it just
difficult enough for the would-be attacker that it is not worth their effort.
The fallout from the Gawker Media breach demonstrates that the security of a company's
website is affected by the security of every other website. You can't control the security
practices at other companies, so you must implement measures to identify risk, add layers of
authentication, and incorporate one-time passwords to stop the domino effect from spreading
to your company's website.
Evaluate your business needs and consider the most common security threats.
First, consider the industry in which the business operates. What type of data needs
to be protected and why? What form would an attack most likely take? (e.g. Is an attacker likely
to steal user credentials and sell them for profit, or more likely to use stolen credentials
to access user accounts and commit fraud? Are you most concerned about stopping brute force
attacks, or could your site be a target for a more sophisticated threat such as a man-in-the-middle
attack?) Are there data security regulations with which the company must comply? Who is the
user population - are they employees, business partners or the general public? How security
savvy is the user population?
Conducting an evaluation of the business needs, the most prevalent threats and the user behavior
will help determine the level of risk and how stringent the authentication requirements should be.