Passwords: Insecure Since 1962

Barry Gordon, Senior IAM Consultant, SecureITsource, Inc. In the early 1960’s, the Compatible Time-Sharing System at MIT required a password to login and use the system. This was likely the first time such technology had been implemented. Its purpose was simple: to keep users from interfering with each other’s files. However, in 1962, Ph.D. researcher Allan Scherr needed more than his allowed 4 hours. How did he overcome this problem? Just print everyone’s passwords! (McMillan) While password security has improved since then, passwords are still insecure at times. This is especially true given the other authentication alternatives available today.

How insecure are passwords?

Many people use relatively short passwords that are typically 8 or so characters. Usually something easy to remember is picked. However, even those who think they are creative are still choose poor passwords. Passwords like “123456” and “qwerty” can be cracked almost instantly. More complex word combinations “D0gF00d” and “P@$$w0rd” can be cracked in minutes or hours. Even something as random as “nz3T8>+^”, which is as hard to remember as it is insecure, is possible to discover in hours.

How to overcome this problem?

To overcome the problem of password insecurity, you must look at what causes poor password choice. The technology certainly exists to use secure passwords, but raw security tech isn’t the only factor. A positive user experience is just as important for security as it is for the other features of an application or system. If the user experience is poor, people will find a way to circumvent the inconvenience, and unknowingly circumvent security. However, current authentication technology offers more than just the traditional passwords.

Single sign-on

Single sign-on in its many forms can be a great way to require secure authentication without having a poor user experience. The more times someone must login, the more hassle. Many people just re-use the same insecure password for every application or system they use. It may seem counter-intuitive to put all your security into a single system, but having a single highly secure and easy to use single system is significantly less risk than several separate weak authentication points.

Additionally, even the best developers are usually not security experts. It’s often better for an application to offload its security to a strong proven authentication mechanism than to implement its own version of authentication. Single Sign-on systems are designed to be very user friendly and discourage poor user habits. They provide one of the other most important ways to overcome password insecurity: Multi-Factor Authentication.

Multi-factor Authentication

Which sounds more favorable from a user perspective: Login using a long and complex password or provide a couple easy to remember items that only you will know? The latter is quite popular and very affective. The best modern authentication systems have several factors to identify a person, and require many factors, but each of the factors are easy for the person authenticating to use. Additionally, this adds security by reducing the likelihood that an attacker will have access to or will have compromised all the required factors all at the same time. While not all encompassing, below are some examples of popular and secure authentication factors:

Passphrases

Technically, the longer a password is, the more secure it will be. A 20+ character string of random letters, numbers, and symbols is virtually impossible to remember. However, remembering phrase such as “I Eat Pizza on Tuesday!” is rather doable. Just for some perspective, a deck of cards has 52 unique values. Every time you shuffle a deck of cards, it is unlikely that exact order of the cards has ever existed before. Likewise, come up with a 52-character, easy to remember, phrase, and your password will most likely take longer than the age of the universe to crack.

One-Time Password/Magic Link

The One-Time Password and Magic Link are two of my favorite factors implemented today due to ease of use. Either a unique code or hyperlink is sent to a trusted destination, usually a mobile phone or email address. The security benefit is that this code or link is very short lived and useless after it has been used. However, typing a short code or clicking a link is very easy from a user perspective. Combining this with other methods makes a system very difficult to attack.

Device Authentication/Device Fingerprinting

Many people today keep one or more mobile devices with them. You can use that to your advantage. If a device can be trusted, it can be used to prove a user’s identity. Trust is usually established by the user authenticating from the device via other factors and marking it trusted. Once trusted, there are a couple ways the device can authenticate. Either by the system building a “fingerprint” of device specific technical information to distinguish it from similar devices or have it produce a code or user action specific to that device. This is often seen in the form of an authenticator app.

Behavior-based risk

Your company does not do business abroad, but someone is logging in from China? You’re only open during the day, but an employee is logging in at 3am? Behavioral data like time or location can be used to determine if an authentication attempt is valid or not. Logging in from a trusted device? Just use the code we sent you. Logging in from a foreign country at 3am? Please provide your passphrase, the code we just sent to your phone, and swipe your fingerprint. Behavior based authentication can make it very easy for legitimate requests while filtering out the possible attackers.

Biometric authentication

The cost of biometric authentication used to be prohibitively expensive, but in recent years it has become very reasonable. It is even an out-of-the-box feature on some mobile phones now. Also, it doesn’t have to be spy-movie grade with a retinal scan, hand prints, and a DNA sample. Just a fingerprint swipe or a selfie with facial recognition software is something that’s hard enough for potential attackers to emulate.

Make it easy for users to detect and report

The final, and possibly simplest, way to make authentication more secure is user awareness and reporting. The legitimate user knows whether they are trying to attempt to login. If there is odd behavior, notify them. Provide easy options to report suspicious activity, or if a mobile device is lost or stolen. Allow them to shut down or otherwise disable illegitimate requests. While frustrated people often like to circumvent security, it’s usually not out of malice. Give them an easy way to help you, and it will go a long way.

Look to the future, not the past

While passwords are often insecure, and some have predicted their demise, they likely aren’t going anywhere in the immediate future. However, that does not mean your authentication must be insecure, complex, or otherwise unmanageable. Using just a handful of the previously mentioned methods is sufficient. Computing has come a long way since 1962, shouldn’t your security be equally as advanced?

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced engineers help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.

References

McMillan, Robert. The World’s First Computer Password? It Was Useless Too. Wired.27 January 2012. Website. 21 February 2017. .