Password is dead, or is it?

Password had been with us for a very long time and has shown incredible persistence. Despite countless attempts and near-universal agreement to replace them, passwords are more widely used than ever. Poor security is obviously the main concern of security experts. However, since even strong authentication technologies are vulnerable to certain attacks, more details on exactly what is required of a replacement is essential.

The U.S. government’s 2011 NSTIC initiative, “National Strategy for Trusted Identities in Cyberspace”, summarizes things concisely: “passwords are inconvenient and insecure”. The summary suggests that the implicit goal is “more security, more usability (at reasonable cost)”. There is little to disagree with here; however, it does not point into the direction that would be a suitable replacement. The resources protected by passwords are diverse, from local and corporate accounts, financial accounts with substantial assets, throwaway email accounts, web forum accounts and so on. Clearly, not all type of accounts have the same security needs. Nor do all people have the same security needs; politicians and celebrities in general may require better protection than others need for banking. What should be the starting point for evaluating technologies for the password replacement?

Evaluating the current vulnerabilities for password authentication system is a good starting point. After all, one of the implicit goal for the new authentication method is more security. While usability and cost are important, they usually take a backseat when increased security is required. The end-users and upper management certainly will disagree, but let us just go with the initial assumption and aim for secure authentication.

Password requirements have changed substantially during the years. Long gone are the short alpha and/or numeric only password, at least should be at resources where security is important. Most, if not all systems allow settings password policies that includes complexity, account lockout after x number of attempts and defines expiration as well. Guessing complex and relatively frequently expired passwords is not that productive. It is more of a “my lucky day” type off guess, if successful.

So, what is wrong with the password? It is vulnerable to key-loggers, social engineering, and password cracking.

Arguably, the client devices are the most susceptible for having the account credentials stolen. The source of this issue is the malware-infected devices that had been with us for a long time and will continue in the near future. The bad news? The compromised host or a mobile device enable cyber-criminals to bypass virtually every two-factor authentication system.

Social engineering is manipulating people so they give up the sought after information. The types of information the “social engineer” is seeking can vary, but usually centers on account credentials, financial information, etc. Once the account integrity compromised, the “social engineer”, or designee bypasses virtually any authentication system.

Password cracking requires the password hash that is stored on the device locally, or on the authentication server. Without password hash, none of the password cracking solution would be able to decipher the password. Cyber-criminals utilize various means to obtain access to the password hash, such as exploiting system vulnerabilities, client devices and social engineering. With the compromised authentication server at their disposal, cyber-criminals are capable of bypassing virtually any authentication system.

Are these password vulnerabilities, or the culpability belongs to somewhere else?

The logical answer is that both the client devices and servers are responsible for the password vulnerability. Securing these devices should be the first step in preserving the integrity of the account credentials. Otherwise, the biometric or other types of authentication methods may not provide the desired level of account security. For cyber-criminals, it does not make a difference, if the stolen account credential is password or fingerprint for example. Well, there is a difference. It is easier to replace the password than the fingerprint. Not to mention that while passwords are unlimited, fingerprints for the end-user in question limited to ten.

Based on history, securing the client devices and authentication servers is not likely to take place anytime soon. In which case, replacing password with other authentication methods may provide a seemingly marginal security improvement. The security improvement might turn out to be temporary in nature. At least until the cyber-criminals develop malware that exploits different authentication methods with ease on a wide scale. Keep mind that there is malware available now that capable to exploit two-factor authentication method.

Do we really need to replace the password authentication method now, without addressing the system vulnerabilities first?

Password complexity, does it really matter?

  SplashData recently has released their annual list of the 25 most widely used bad passwords. The blog noted, quote:

    “In SplashData’s fifth annual report, compiled from more than 2 million leaked passwords during the year, some new and longer passwords made their debut – perhaps showing an effort by both websites and web users to be more secure. However, the longer passwords are so simple as to make their extra length virtually worthless as a security measure.”

  The number of leaked passwords in 2015 had been much more than two million. Chances are that the actual number is a lot larger. Just the Ashley Madison security breach in 2015 netted the hacker(s) 34 million passwords. While I don’t doubt the authenticity of SplashData and the top 25 list based on their number, the chances are that the analysis is somewhat skewed.

SplashData does provide some advice on password protection via simple tips like this one, quote:

    “Use passwords or passphrases of twelve characters or more with mixed types of characters”

   Wait… Weren’t most, if not all, leaked passwords related to websites’ security breaches? If they were, what is the difference between the “123456” and the “3pHj1P38JVF4” password? In reality, the difference is nothing. Other than the obvious that the end user will have a hard time remembering the twelve character randomly generated password. Let’s face it, as long as the hacker(s) can download the password database, it does not matter if password complexity is in place or not.

  Information Technology (IT) people can go ahead and ridicule the end users for their choice of passwords. Doing so will result in couple of funny stories, but the jokes are on them. Here’s 2016 and IT people still cannot secure the password databases.

  Despite all of this, it will not stop IT people from requiring the end users to use long and complex passwords, use special characters, include upper and lower case letters, have numerals, different passwords for each account, to not write them down, and to change them frequently. Doing any combination of the aforementioned will not likely matter. No wonder the end users cringe when the IT guys/gals shows up…

  None of the top lists would be possible by simply guessing the password or via social engineering. The number of passwords obtained by these means would not be sufficient for statistical purposes. Let’s not throw the end users under the bus and do what needs to be done. Secure the password databases IT people…