Heartbleed - Poster Child for One-Time Password Use For Privileged Accounts

The discovery and fallout of the Heartbleed vulnerability has everyone scrambling to change the passwords to a myriad of online services (as we blogged about the other day  – the flaw ‘compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.’)

While this rush to change passwords has many wondering whether they’ll be able to remember all of their new passwords, others are concerned that changing passwords too fast will cause more problems.  If you change your passwords before the web server at your online service has been updated to remove the flaw, then you’re potentially giving hackers a different password than your old one.

This adds a layer of complexity and confusion to the password discussion.  While it would be easier if we could securely authenticate to services without passwords, a world without passwords is still a concept and not a reality (though it’s been discussed for years). 

Heartbleed will super charge this discussion, and with good reason.  However, hypothetical technology discussions do not secure the here and now.

We’re stuck with passwords for now whether we like it or not. Even if a better solution for secure authentication is discovered tomorrow, passwords will not simply disappear from the enterprise overnight. 

So what’s the most secure approach to passwords?  One-time passwords that expire after a single use.

One-time passwords would protect users against Heartbleed by virtue of rendering any password that was stolen completely useless.  Unlike static passwords that don’t change, one-time passwords are impervious to replay attacks.

This is why CyberArk has long advocated for the automated enforcement of one-time passwords to secure privileged accounts. Many companies eschew changing passwords on a regular basis. In fact, our recent privilege survey showed 53 percent of large enterprises take 90 days or longer to change privileged passwords.

Advanced threats are too numerous and too rapid to maintain static passwords for cycles this long, especially passwords to the most powerful and frequently targeted accounts by hackers.  The longstanding problem is that the frequent update / remember cycles create a lot of pain for users, which translates into avoidance. Remove the complexity of change and increase overall security. This has been our approach from day one to help businesses be vigilant about password security and embrace one-time passwords.

And if you’re wondering if we were impacted by Heartbleed, you can find more here.

Tuesday, April 15, 2014