Skip to main content

The Problem With Passwords (again, still)

Passw0rds!  The bane of most user and sys-admins lives.  I started talking about passwords earlier in the year, with the theme of 'the password's dead...long live the password'.  Obviously, the password isn't dead and is very much alive.  The story generally unfolds something like this:

  1. The infosec team, create a corporate password policy that requires a password to contain something like the following: to have a minimum length, include a number, an upper case character and also a special character, perhaps have a minimum age and be historically unique
  2. A sys-admin or developer, creates a function within an app/system/website to check the newly created passwords for complexity, in line with corporate password policy
  3. A user is created within a system / registers on a site
  4. A user is prompted to enter a new password for themselves, which must match the above policy
  5. If the policy is too complex, the user's initial password selection will generally be bounced for being too insecure
  6. The user iterates their password, adding numbers or additional characters until the password is accepted
  7. User convenience and satisfaction is probably reduced due to having to remember a large password
  8. The sys-admin believes the system is now relatively secure from hackers guessing passwords as everyone has a complex password

The Sys-admin is the Problem?

Obviously this is a fairly simplified view, but what will also probably happen is that the end user will either write the password down (massive security no-no and probably well enough publicised to not be a serious large scale issue?) or have a small pool of re-usable passwords that meet the complex criteria.  By this, I simply mean every 90 days when the password needs changing, will result in a digit being added to an existing password for example. 

Now, the other side of the password management piece, is the assumption that the passwords are themselves stored securely on disk.  Are the passwords hashed instead of encrypted?  Is a well known algorithm and management process being used?  What physical and logical access is in place to access the hashes?  Is the database or directory they're stored in securely backed up and so on.

Whilst there's been a few cases recently where the underlying password hashes have been stolen, the underlying security argument is that even if hashes get into the wild, a complex password will still take some time cracking, either using brute force or a dictionary attack.

So the User is the Problem?....A Password Vault to the Rescue?

So the weak entry point is the user right?  They can't be relied upon to create and keep secret, good quality complex passwords.  Possibly true for most non-IT end users.  In comes many of the browser and desktop based password vaults.  They can create the password for you.  Simples!  The browser based vaults simply check the form to see if it contains a password field, prompt the user to use the inbuilt random generator, and voilĂ , a long, pseudo random, complex passphrase is created.  The vault will store the password for the user, so the user doesn't even need to know what it is.  Excellent.  No issues around passwords being written down, forgotten or being incremented and reused.  Every time a user hits a particular URL, the vault will pass through the password and the user is authenticated.  Easy.

Hmm.  So now, all the passwords in one place.  So have now we just moved to the admins worst case 101 problem, a single point of failure?  Now comes into question how the vault is managed.  I don't know of any major breaches of the big on line browser based vaults - but please comment if you know otherwise.  If the vault is hacked, all your passwords, no matter how complex are out in the open.  So the assumption again, is that 1) the vault wont be hacked and 2) even if it is and your passwords are exposed, because they'll be so long and complex, cracking them will be too computationally expensive.

Keys to the Castle

So assuming how the vault is managed wont be a problem, how does the user access the vault to use the stored passwords?  Ah!  A username and password (see flow above!).  So, the user needs to create a master password - the key to the castle.  So whilst on one hand, we replace one problem we create another.  The issue with having a password-vault-password hacked is going to be more costly than any of the single systems using the vault.  That's obvious.  So what next?  We can introduce dual-factor authentication to add an extra level of security.  This could require tokens, one-time-passwords via mobiles or grid-based-authentication, using unique randomized pads.  The use of dual-factors goes to show that passwords on their own don't provide the level of protection required for some unique systems.

When it comes to creating passwords though, the complexity rules will certainly provide a basic level of protection.  If you have to create a password manually, try mixing the languages and keyboard layouts you use.  For example, on many desktop operating systems, you can simply add in language maps for other worldly languages, setting up a hot key to switch between English and the other 2 or 3 selected languages.  When entering a password, try mixing a few languages together.  Whilst this isn't always going to help, it can certainly help slow down dictionary attacks....


It can look pretty cool too right?

@SimonMoffatt

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…