The debate on the quality and strength of passwords will never go away, and sometimes all it takes is a perspective on how to store and remember them to stir the hornet’s nest.
Take a recent blog by the National Cyber Security Centre (NCSC), which framed the debate on pasting passwords, and why websites preventing this were a good thing. It claimed that “password pasting improves security because it helps to reduce password overload”, and that allowing the pasting of passwords “makes web forms work well with password managers” but without the option of a password manager, it “would be pretty much impossible to remember all your passwords”. This would lead to:
- Re-use of the same passwords on different websites
- Choosing very simple (and so easy to guess) passwords
- Writing passwords down in places that are easy to find (like post-it notes next to the screen)
I’ve only become a password manager user in the past couple of years, and upon using this application my password strength has become much better, and my etiquette on updating them has increased.
Research of 115 people in August 2016 by Hypersocket Software found that 19% admitted to writing their passwords down to remember them and only 6% use a password manager.
It was timely then that the NCSC provided advice on the use of password managers. The NCSC claimed that frequent questions led it to determine that for individuals: “password managers are a good thing” as they give “huge advantages in a world where there's far too many passwords for anyone to remember”, such as:
- They make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
- They are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
- They can generate new passwords when you need them and automatically paste them into the right places
- They can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet
It said: “If security is difficult, tedious, appears to add no value or gets in the way of the main task we're trying to do, then we tend to find (insecure) ways around it.”
If password managers are such a great solution, then why they not more widely used? I asked Al Sargent, senior director of product marketing at OneLogin, who said that assuming that "password managers" include a Single Sign-on (SSO) portal, then employees are increasingly becoming aware of these and will soon come to expect IT departments to provide SSO.
“Having seen the evolution of IT over the past couple of decades, I've seen laptops shift from a status symbol provided to only the highest executives to a standard piece of equipment,” he said. “SSO is undergoing a similar transformation from novelty to standard. Any business that has more than a couple of apps can benefit from the productivity benefits and increased security that comes with SSO, as such we expect it to grow in popularity rapidly.”
The NCSC admitted that there are some drawbacks with password managers, notably:
- Password managers are attractive targets in themselves. They've been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go
- If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt
- You can't use them for everything. Some service providers (such as certain banks) don’t support the use of password managers
Consultant Paul Moore told Infosecurity that he welcomed this promotion of password managers, but he strongly disagreed with some aspects of the password manager blog post. In particular, he would not recommend fingerprint-based biometrics for anything of importance due to implementation issues, while the concept of password managers offering "multi-factor authentication" was entirely inaccurate.
He said: “Password managers do not use any form of authentication; to do so would be very dangerous. Instead, they rely on cryptography to derive a ‘master key’ from your ‘master password’. This key can either be used to directly encrypt each piece of data, or be used to encrypt another key unique to a particular record.
“Some password managers provide a facility to split the cryptographic key into multiple segments (one you know, one you have), but this doesn't constitute multi-factor authentication either.”
Technology exists to offer an alternative to pure passwords and considering that recent research found a flaw in pattern-based phone authentication, the NCSC comments that “password managers are a good thing - for now” and that “password-based authentication has outstayed its welcome” being another nail in the coffin. The problem exists though that this coffin is a long way from a security funeral, as this is the way things work, and many businesses would be loathed to switch out an existing authentication system.
Has single-factor authentication outstayed its welcome? Nugent agreed that it has. “Multi-factor authentication is a must in today's world,” he said. “Passwords on their own make for weak authentication. If they're short passwords, they're easily guessed. But even long passwords are stolen and sold on the black market, once that’s happened they're no good, even if they’re re-hashed. But we aren't seeing the ‘death of the password’. Technologies ‘die’ because no one cares about them.”
Per Thorsheim, founder of PasswordsCon, acknowledged the work of the FIDO Alliance in its efforts on unified and federated authentication, but admitted that “passwords will remain for the foreseeable future as I see it”.
He said: “There is no business or usability case supporting the removal of them completely. I also fully believe that password managers are known to lots of people outside infosec and IT in general. However there are many situations where using a password manager will be difficult, or not necessary [when] considering other easier and cheaper options. Pen and paper included.”
He told Infosecurity in an email that he appreciated advice from the NCSC that “passwords are supposed to be 'something you know', but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you)”.
He added: “I agree with that statement, and it is what I have done for the past 10-15 years myself. From there to getting rid of passwords though...not in my lifetime.”
We still have passwords as they are a simple method of authentication, and I don’t see any change in the landscape until there is better federated access rolled out. Until then, use a password manager and write them down in that secure vault rather than on a post-it note on your monitor.