Passwords aren’t secure. So what’s the alternative?
Google is testing its own anti-password login mechanism using mobile phones as two-factor authentication (2FA) devices, following hard on the heels of Yahoo, whichlaunched a password-free login system for its users in October.Companies like these are offering new authentication mechanisms because passwords are a terrible way to authorize people. Users can’t remember them, or if they do, it’s because they’re easily-guessable.
Stealing passwords en masse
Some of the biggest password compromises happen when vast databases of login credentials are stolen directly from the source, when hackers compromise a web site.
These passwords are generally encrypted. If they aren’t, then the site operator should be hung, drawn, and quartered. But even if they are encoded, it doesn’t always make them safe. Attackers can compare the encrypted passwords against a vast table of encrypted dictionary words called a rainbow table. When a match is found, they have identified the password.
This happens when users rely on obvious passwords, or any valid word. The most common passwords are depressingly obvious. When Ashley Madison was hacked earlier this year, the most popular past word was ‘123456’. The second was ‘12345’. In a stunning imaginative leap, the third most common was ‘password’, followed closely by ‘DEFAULT’, and, just to make it a little more difficult for hackers to type, ‘123456789’.
Using passphrases (a group of words strung together) can help, but crackers are trying to guess those, too.
There are techniques to protect encrypted passwords. In particular, ‘salting’, adds a user-specific string of characters to a password before hashing. This can slow hackers down and make it prohibitively expensive for them to crack the passwords en masse.
Even if passwords are protected from mass online theft, they are still insecure because users don’t use them properly.
Users also tend to copy passwords between sites, meaning that if one is hacked, the rest can be similarly compromised. Password sharing can make user activity monitoring and privilege restriction practically impossible. So what are the alternatives to make our access to systems more secure?
“We have the technology to identify people fairly reliably without them having to enter their passwords all the time,” said Angela Sasse, a professor of human-centred technology who leads the Information Security Group at the UK’s University College London.
Sasse points to technologies including two factor authentication (something you know, plus something you have or something you are). This comes in different forms, including hardware tokens, and out-of-band verification using your smart phone, similar to Google’s existing Authenticator system, which generates one-time codes, and to its latest trial, which simply asks the user to respond to a notification.
Biometric identification is also coming along nicely. Many modern phones have fingerprint scanners, and now, companies are using phone-based voice identification. RBC launched conversational voice biometrics in October, enabling callers to identify themselves without entering a password or PIN.
Other, even subtler authentication systems are also in the works. Some companies are now experimenting with behavioural analysis by using peoples’ typing and mousing patterns as a unique identifier. In theory, this means that a system could tell who you are pretty quickly simply by watching you use a website.
Adding more data, such as accelerometer information from mobile phones and location information would increase the probability of a positive match still further. The US military is already experimenting with these techniques.
None of these techniques are entirely secure, because nothing in cybersecurity ever is. For example, Apple’s fingerprint sensor was compromised by security researchers in 2013, and there is no guarantee that the technologies used within 2FA haven’t themselves been compromised at birth using a back door.
Organizations can increase their level of security by combining multiple forms of authentication, such as biometrics, hardware tokens, and out of band authentication. It will all increase your probability of protection, but will also increase user friction, which leads to a bigger question: how important is it?
All cyber security requires a level of risk analysis to determine the impact of compromised. This must be weighed against the financial cost and the impact on process as more authentication technologies are layered on top of each other.
The password’s time is most certainly not over. It will continue to be used, and often used badly. But those organizations who are aware of its limitations and of the alternatives available can limit their vulnerability.
If you do use passwords as part of your security portfolio in 2016, you could do a lot worse than follow the recently-published guidelines on password usage from CESG, the information security arm of the UK government’s GCHQ signals intelligence spy agency.