8. The Means of Cybersecurity: Access Control 189 False negatives—users being denied access to their own account—are also an issue with password-based authentication schemes because people sometimes forget their passwords. To try and prevent impersonation attacks, passwords should be long, random, and complex. All these factors make it difficult for users to remember their passwords. When users forget their password, they are unable to be authenticated, causing frustration and loss of work. Most password-based authentication schemes include a convenient password reset mechanism. This allows users to create a new password. Unfortunately, password reset mechanisms are themselves targets for hackers and have their own vulnerabilities. The fundamental problem is that it is difficult in the anonymous world of cyberspace to accurately and inexpensively authenticate users in a scalable way. Passwords scale well, but they do not provide strong cybersecurity. The burden passwords place on users is significant. When they register an account users are asked to create a password they can remember yet have nothing to do with anything they care about (to prevent password guessing attacks), that are long and use several different character sets (to prevent password cracking attacks), and that are different from all of their other accounts (to prevent credential stuffing attacks). This is unrealistic, especially for users who see passwords as a burden for them as opposed as an obstacle for hackers. It is the rare user that can come up with strong passwords that they can keep track of. To make matters worse, it used to be a best practice in cybersecurity to set password expiration dates, forcing users to update their passwords periodically. This practice is designed to limit surreptitious account access. Surreptitious account access is when attackers spy on victims by logging into their accounts. For example, an attacker might access a victim’s email account to read their messages. If the compromised password expires and is reset by the account owner, then the attacker would lose access to the account, stopping the attack. While still employed in some workplace environments, password expirations are no longer considered a standard cybersecurity best practice. Surreptitious account access is relatively low risk—it is rare, and even when it happens, the impact is usually not severe. In the majority of cases when a user’s password is compromised, the attacker uses his unauthorized access right away to accomplish his objectives, not worrying that this will reveal the password compromise—by then, the damage has been done. Even if an attacker is interested in maintaining surreptitious access, he may inadvertently make his presence known leading to a password reset at that time. Meanwhile, the practice of password expirations does not always eliminate surreptitious account access. If the attacker was able to obtain a user’s password in the first place, he may be able to do it again the same way after the password update—for example, by repeating a shoulder surfing attack. Additionally, as we saw in Chapter 5, cybersecurity practices come at a cost and tradeoffs must be considered. One of the costs of password expirations is the burden it places on users because it results in even more passwords for them to track. In some work environments that enforce regular password expirations, exasperated users resort
RkJQdWJsaXNoZXIy MTM4ODY=