Heartbleed vulnerability: most secure approach to passwords?

The discovery and fallout of the Heartbleed vulnerability has everyone scrambling to change the passwords to a myriad of online services. While this rush to change passwords has many wondering whether users will be able to remember all of their new passwords, others are concerned that changing passwords too fast will cause more problems.  If a user changes a password before the web server at the online service has been updated to remove the flaw, then they have potentially giving hackers a different password than the old one.

It won’t be a hyperbole to state that the Internet, and every company that uses it, is currently facing one of the most serious security flaws in its history. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software, which compromises the secret keys used to identify the service providers and to encrypt the traffic, names and passwords of the users and the actual content. The ramification of this is that it enables cybercriminals to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users.

“By hijacking access credentials of legitimate users or the private keys of assets, Heartbleed enables cybercriminals to gain remote access to servers and assets running vulnerable versions of OpenSSL. Heartbleed is a nuclear reminder of why access credentials to sensitive assets should never be divulged to a user,” said Dan Dinnar, Vice President for Asia Pacific at CyberArk. “Companies need to isolate, control and monitor privileged access to all enterprise assets. Additionally, limitations on access should be enforced, such as dual-control which requires additional approval for remote connection. This makes it even more difficult for an attacker to abuse hijacked user credentials.”

So what’s the most secure approach to passwords?
One-time passwords that expire after a single use - One-time passwords can protect users against Heartbleed by virtue of rendering any password that was stolen completely useless.  Unlike static passwords that don’t change, one-time passwords are impervious to replay attacks.

Notwithstanding, many companies eschew changing passwords on a regular basis. According to a CyberArk study, 53 per cent of enterprises take 90 days or longer to change privileged passwords.

Further, many passwords have not changed for years. With cookie-based login remembering, it has become increasingly easy to ‘set and forget’ credentials for commonly used services. Many accounts exist through an organisation that had been maintained by an employee no longer with the company and those accounts may still be active, yet forgotten about. Discovering where these accounts exist is an equally important part of defending against Heartbleed and future such bugs.

Comments