Skip to main content

The Problem With Passwords (again, still)

Passw0rds!  The bane of most user and sys-admins lives.  I started talking about passwords earlier in the year, with the theme of 'the password's dead...long live the password'.  Obviously, the password isn't dead and is very much alive.  The story generally unfolds something like this:

  1. The infosec team, create a corporate password policy that requires a password to contain something like the following: to have a minimum length, include a number, an upper case character and also a special character, perhaps have a minimum age and be historically unique
  2. A sys-admin or developer, creates a function within an app/system/website to check the newly created passwords for complexity, in line with corporate password policy
  3. A user is created within a system / registers on a site
  4. A user is prompted to enter a new password for themselves, which must match the above policy
  5. If the policy is too complex, the user's initial password selection will generally be bounced for being too insecure
  6. The user iterates their password, adding numbers or additional characters until the password is accepted
  7. User convenience and satisfaction is probably reduced due to having to remember a large password
  8. The sys-admin believes the system is now relatively secure from hackers guessing passwords as everyone has a complex password

The Sys-admin is the Problem?

Obviously this is a fairly simplified view, but what will also probably happen is that the end user will either write the password down (massive security no-no and probably well enough publicised to not be a serious large scale issue?) or have a small pool of re-usable passwords that meet the complex criteria.  By this, I simply mean every 90 days when the password needs changing, will result in a digit being added to an existing password for example. 

Now, the other side of the password management piece, is the assumption that the passwords are themselves stored securely on disk.  Are the passwords hashed instead of encrypted?  Is a well known algorithm and management process being used?  What physical and logical access is in place to access the hashes?  Is the database or directory they're stored in securely backed up and so on.

Whilst there's been a few cases recently where the underlying password hashes have been stolen, the underlying security argument is that even if hashes get into the wild, a complex password will still take some time cracking, either using brute force or a dictionary attack.

So the User is the Problem?....A Password Vault to the Rescue?

So the weak entry point is the user right?  They can't be relied upon to create and keep secret, good quality complex passwords.  Possibly true for most non-IT end users.  In comes many of the browser and desktop based password vaults.  They can create the password for you.  Simples!  The browser based vaults simply check the form to see if it contains a password field, prompt the user to use the inbuilt random generator, and voilĂ , a long, pseudo random, complex passphrase is created.  The vault will store the password for the user, so the user doesn't even need to know what it is.  Excellent.  No issues around passwords being written down, forgotten or being incremented and reused.  Every time a user hits a particular URL, the vault will pass through the password and the user is authenticated.  Easy.

Hmm.  So now, all the passwords in one place.  So have now we just moved to the admins worst case 101 problem, a single point of failure?  Now comes into question how the vault is managed.  I don't know of any major breaches of the big on line browser based vaults - but please comment if you know otherwise.  If the vault is hacked, all your passwords, no matter how complex are out in the open.  So the assumption again, is that 1) the vault wont be hacked and 2) even if it is and your passwords are exposed, because they'll be so long and complex, cracking them will be too computationally expensive.

Keys to the Castle

So assuming how the vault is managed wont be a problem, how does the user access the vault to use the stored passwords?  Ah!  A username and password (see flow above!).  So, the user needs to create a master password - the key to the castle.  So whilst on one hand, we replace one problem we create another.  The issue with having a password-vault-password hacked is going to be more costly than any of the single systems using the vault.  That's obvious.  So what next?  We can introduce dual-factor authentication to add an extra level of security.  This could require tokens, one-time-passwords via mobiles or grid-based-authentication, using unique randomized pads.  The use of dual-factors goes to show that passwords on their own don't provide the level of protection required for some unique systems.

When it comes to creating passwords though, the complexity rules will certainly provide a basic level of protection.  If you have to create a password manually, try mixing the languages and keyboard layouts you use.  For example, on many desktop operating systems, you can simply add in language maps for other worldly languages, setting up a hot key to switch between English and the other 2 or 3 selected languages.  When entering a password, try mixing a few languages together.  Whilst this isn't always going to help, it can certainly help slow down dictionary attacks....


It can look pretty cool too right?

@SimonMoffatt

Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…