Everyone I know hates passwords, and longtime readers of this blog will know that I do, too! Passwords began as an unfortunate convenience and never have really died. In the first in my series on cyber security, I will show you how passwords fail, as well as give you better ways to practice authentication.
In early computer networks – including ARPANET, the precursor to the Internet – encryption was rarely used. Processors back then were just too slow. That meant that virtually anyone, including bad actors, easily observed passwords to sign in to restricted sites.
Fortunately, today, we have some excellent alternatives to protect sensitive data. In this post, we'll look at a few reasons why passwords are bad, a few ways to make them a bit less, and some alternatives.
Why passwords are bad
One big issue with passwords is that they are difficult to remember. Remembering one or two might be okay, but with multiple servers at work, dozens of websites, banks, email, and browsers, everyone (except those with eidetic memories) finds remembering them taxing. That leads to using simple passwords, using the same credential in multiple places, or writing the passwords down. Or maybe a combination of those!
Simple passwords can be easy to guess by humans or computers. There are several internet sites with extensive lists of so-called “bad” passwords: most of them are very simple.
One such site is haveIbeenpwned.com, where you can test if your favorite password has been found in a data breach. NIST (the National Institute for Standard and Technology) recommends checking password changes against such a list.
Tom’s Guide published a list of the most common bad passwords from various sources (spoiler alert: "123456" is at the top of the list) and hints about how to make better passwords.
Bleepingcomputer has an article on how a simple password took down a single organization!
How Can You Make Better Passwords
There are many ways to improve passwords that are used as the sole authentication method or even in combination with another method (which we'll look at in a moment). The NIST document I linked above has some excellent guidance, but it's not easy to follow, so let's look at some reasonably easy techniques.
First, use a robust character set: a combination of upper- and lower-case letters, digits, and special characters (such as “&”). Second, use a long password. The NIST guidelines recommend that passwords up to 64 characters be allowed, but not all sites do. A long password would be different to remember unless it were a passphrase: a group of words instead of a single word.
Passphrases make strong passwords and can be your favorite song lyric or a short phrase you associate with. As a practical matter, 14 or more characters are suitable for a bare minimum. Unfortunately, only some users observe a minimum length anywhere near that.
Some credential forms, sadly, implement a character maximum, which prevents the use of a passphrase. This is out of the user's control, and the restriction can force someone into reusing a common password instead of more secure passphrases.
Since long and complicated passwords can be challenging to remember, a password manager is an excellent tool to incorporate. These tools store passwords in an encrypted database, or password vault, freeing the user from memorizing all of them. The database is accessed with a password (or something else) that should, of course, be long and complicated.
There are open source and free versions of password managers, with different user experience features, like offering a browser extension to more easily create and store new passwords. Memorizing one password sure beats memorizing fifty!
Password authentication isn't the only means of credentialing a user. Authentication, proving your identity to a computer or other device, involves one of three techniques: something you know (e.g., a password), something you have (such as a card with a chip), or something you are (maybe a fingerprint).
Proximity tokens are popular in many settings. This is similar to the “Tap to Pay” used by some credit cards. Some tokens are inserted into a USB port on a desktop or laptop. Others display numbers or characters that are added before or after a memorized password.
Many laptops and phones include various forms of biometric authentication. For example, some read fingerprints, scan for facial recognition, or use other techniques.
The best solutions combine two or three techniques.
When two methods are used simultaneously, it is called "two-factor authentication" and "multi-factor authentication." This is the case with the token displaying something to type in addition to a remembered password.
Sometimes two techniques are used in sequence to create "two-step authentication." This is becoming increasingly common on websites: after the user enters a password, the user is sent a code to an email address or a phone as a text message.
Replacing passwords with mathematics
Another alternative is to replace a password with mathematics. In its simplest form, the user provides a username (maybe as an email address) to a server. The server then sends a message to the user's computer (or a phone app), which the device encrypts and sends as a reply back to the server. The server then tries to decrypt the reply using a key unique to the user.
If it succeeds, the user is authenticated. But, of course, this relies on the user being previously authenticated to the phone or computer. That means that mobile devices and computers need good, strong authentication too!
There are multiple other mechanisms for replacing memorized passwords, from tokens that send out unique passwords each time to systems that rely on logging in somewhere else (e.g., websites that let the user log in using a Google account).
The point here is that passwords are difficult to use and potentially easy to compromise. If they are the only alternative, use a good one. If there is a better option, use that. But please, please, don't use "password" as your password: it can compromise your whole organization or your bank account.
As this series continues next Wednesday, we will look at major threats to your security environment and break down social engineering so you can best protect your assets. See you next week!