WHAT’S WRONG WITH PASSWORDS?
- Why ancient password issues still exist
- Are your passwords really safe?
- How hackers exploit reused passwords
- The problems with mobile authentication
Ancient password issues still exist
Right from the early days computer users have often recorded their
passwords elsewhere, which makes them easier to remember, share and steal. The old Computer Time Sharing System was about as secure as a big share house, but that didn’t matter so much back then: access authentication – not security – was the priority.
“Nobody wanted to devote machine resources to this authentication stuff,” explained Professor Fred Schneider of Cornell University’s Computer Science faculty in an interview with Wired magazine in January 2012.
Schneider mused that those pioneering sys admins could have used a knowledge-based system that asked users to reveal something about themselves that other people might not know, such as mother’s maiden name, first pet, first school… but Schneider said “that would have required storing a fair bit of information about a person”, while a simple login only needed a few bits or bytes.
That ancient username and password model was designed as a two-piece key to unlock access. It was meant to manage authentication more than security.
But these days most systems rely on just one piece of the key – your password – because the username piece is now typically your email address, which is often publicly known.
Old habits die hard
The concept of a password had its roots in armies and secret clubs, but as the inventor of the computer password Professor Fernando Corbato of MIT admitted to the Wall Street Journal in May 2014:
“Unfortunately it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
CHECKLIST: are your passwords really safe?
Think about all the places your own passwords might be stored.
[..] In your head
[..] Written on paper
[..] Written in a document on your device (with or without hints)
[..] Saved inside a Password Manager on your device that you unlock with your fingerprint, master password or private key on a separate device (e.g. dongle/USB stick)
By organisations you interact with:
[..] No idea
[..] Recorded as plain text in a master list stored and updated on one or more servers (possibly even printed on paper)
[..] Encrypted in a master list stored and updated on one or more servers
[..] No password, just identity questions (full name, date of birth, address, mother’s maiden name etc)
Have you ever used the same password for more than one account?
Don’t reuse passwords. Here’s why:
- Hackers know most people use just a small handful of passwords across all their accounts
- Most passwords are very easy to crack anyway
- When a hacker steals just one password from you, they know it’s likely they can unlock more than one of your accounts (Find out if your email address and possibly passwords have been stolen on haveibeenpwned )
Why are passwords such a hassle?
Most people are nonchalant about finding a smarter way to manage passwords. They might know it’s better to have long strings of undecipherable symbols, letters and numbers instead of just words and numbers, but it’s a nuisance having to invent and remember unique strings for every login.
So they just reuse the same small collection of favourite passwords for everything from their email to business systems, social media and payment gateways. And fail to secure their valuable private information.
Or if they use a password manager on a business device, they’re not smart about securing the device itself.
Reusing passwords is extremely risky, yet people from all demographics still do it (and too many use weak passwords):
- Facebook’s Mark Zuckerberg had his identity hacked in June 2016 because he’d reused a password across multiple systems.
- Microsoft’s 2017 Security Intelligence Report revealed a 300% increase in user accounts attacked since 2016 and warned: “[most] of these … are the result of weak, guessable passwords and poor password management.”
- Dashlane reported in 2015 each person typically has 90-130 accounts linked to a single email address — and each password is reused at least 4 times on average
Password managers are targets too
Password managers are designed to try to solve the issue of having to remember multiple passwords. But they create another big problem: by bundling all of your passwords in a master list they create a centralised store of valuable passwords (either stored by you on your device or on a centralised server location).
These master lists are highly attractive targets for hackers because a single breach will open up guaranteed access to several accounts all at once.
How hackers exploit re-used passwords
- Hackers crack a central store of user identities on a social media server under pressure and steal a list of passwords
- They’ll test those passwords on several other platforms to find matches (knowing too many people reuse passwords)
- They’ll collect any information which could help answer ‘secret’ questions (maybe not mother’s maiden name, though just as simple) plus valuable information such as resident or postal address
- They’ll press on to get access to email accounts, which can then be used to request password resets and gain access to even more valuable private information such as medical records and financial accounts.
The hackers might cause reputational damage along the way for malicious entertainment, but in many cases the victims won’t know multiple breaches happened until they’ve had money or their identity stolen. The latter is arguably worse.
Weak passwords are a massive problem
- 81% of data breaches are due to stolen and/or weak passwords — an attack qualifies as a breach if it leads to disclosure, not just exposure, of private data to an unauthorised party
- 63% of breaches due to compromised identities
- 300% increase in attacks on cloud-based user accounts in 2017
- US$3.62 million — average cost of a data breach
- US$141 — average cost of each stolen record
- 1-15 hours — maximum time most hackers need to breach most of their target organisations, locate critical value data, and exfiltrate it
- 4 billion logins, passwords and other credentials were stolen and put up for sale on the dark web in late 2017
Mobile authentication: a key in your hand isn’t all it’s cracked up to be
Mobile authentication is increasingly popular in business because it gives security administrators a more traceable platform for managing access to corporate systems.
The promise of mobile authentication is that every individual carries a trackable device with them.
It can be used as a single sign-on system and password manager that’s supposedly blunder-proof.
Instead of asking for keys such as passwords (that are readily stolen or copied and reused) for each service the user needs to be productive, the business provides a central access management system that simply asks for a handshake with the user’s authorised mobile device plus a password locked to the device to authorise access to multiple systems. The password isn’t stored on a highly trafficked, highly targeted server.
While 2FA and mobile based authentication were effective when they were first implemented, they introduced friction to the authentication user experience. This friction still exists in many modern authentication systems and the methods aren’t as secure anymore – so what are the security benefits?
As Ric Richardson, software inventor and co-founder of Haventec, argues: “If you are going to use the ‘something you have’ credential as your primary or even only credential then you need to use something that is a lot easier to protect than a phone that gets left on a desk or in a purse or with a friend.”
Ric Richardson’s 3 reasons mobile authentication won’t cut it for business
- No one uses it today even though all the big companies have mobile authentication systems.
“Google Authenticator is the most widely distributed and used mobile authentication app but the user numbers aren’t verifiable. It does not appear in the top 200 list for any market. And using the rule that there are 1,000 downloads for every comment then it’s a dead man walking. I count as one of those downloads, but I only used it once. It feels like getting my keys out every time I want to go on a website.”
- Not everyone has a phone and not everyone with a phone has it with them all the time.
“Only 77% of Americans have smartphones according to Pew Research. Everyone can use a PIN. Supporting multiple systems across any system let alone a banking system is too much of a big ask. It’s unfair to even ask them to consider it.”
- Mobile authentication sounds good in principle but is it really secure?
“One of the rules of security is to have multiple factors in a secure authentication – i.e. two or more of a) something you know b) something you have c) something you are. A PIN is something you know and identifies the user. If your phone is something you have but there is no PIN then you are only getting one factor, which is not good practice. Additionally, security firm Sophos reports that 67% of smartphone users do not have password or PIN protected access to their phones. This alarming figure means that anyone who can access a target’s phone can log on without knowing anything except their account name. Even Google only uses mobile authentication as a secondary credential behind a username and a password.”
Quantum computing will break most popular security keys
Some of the most popular forms of data encryption and password managers use keys that will become increasingly vulnerable to attack.
The main reason any of the current generation of password-generation and data encryption technologies work for now is because there codes take a long time to break with contemporary computers – not because they’re invulnerable.
“The encryption schemes today are based on factoring and on prime numbers, so if you had a computer that could factor instantly, if it did that today it could break all encryption schemes,” said David Awshalom, an experimental physicist at the University of Chicago’s Institute of Molecular Engineering, in an interview with Forbes.
“Quantum machines do a few things extremely well—a few—and one of them is factoring. They can factor exponentially faster than any machine today. And so there’s a lot of concern that, for example, whichever country has a quantum machine, they can break classic encryptions.”