Many observers expect passwords to be replaced by something stronger ‘real soon now’. This seems to be such a consistent expectation that many people are now focusing less on password security.
This is a problem because passwords as the sole authentication factor will be with us for a long time and even when stronger authentication factors are deployed, they tend to be ‘something plus a password’. In short, we cannot stop worrying about password security.
So, Where Is Authentication Headed?
Password tokens, biometrics, mobile phones and smart cards can all be employed to prove a user’s identity. Unfortunately, they certainly have their drawbacks:
- Password tokens: extra hardware must be purchased and distributed to users. This is extra ‘stuff’ for users to carry around. What happens when a user loses his/her token or leaves it at home?
- Biometrics: extra hardware is required. No matter which biometric is selected, some users will be unable to utilize it – either because of a physical disability or inability to register a biometric sample.
- Mobile phone: increasingly popular, but often serves as a backup authentication factor, rather than a primary one, because it’s still more of a nuisance to users at login time than just entering their regular password.
- Smart cards: same challenges as tokens but with the bonus of more difficult integration and the addition of card readers in every endpoint device. Smart cards also carry a PKI certificate payload, which means that organizations have to implement and manage a public key infrastructure as well. This is typically a very expensive undertaking.
Recent experience shows that these devices can provide a false sense of security. In particular, the security of the most popular type of one-time password token – RSA SecurID – was recently compromised. When this happened, thousands of RSA customers were caught off-guard when their security was reduced to just a short PIN.
Similarly, biometric systems can be vulnerable to playback attacks – if an attacker can capture a user's biometric data as it's sent from the user's PC to the login server, then the attacker can play it back later, to impersonate the user. Moreover, many biometric systems inject a password after identifying the user, so if an attacker can compromise the password database, then he/she won't even have to replay the biometric data. They just simply inject the user's hidden password.
Mobile phones are also vulnerable. Hackers have already shown that it's possible to build a fake GSM base station for about a thousand dollars, causing phones to send voice and data through their PC rather than to a legitimate cell phone tower. If an attacker is physically near a user who they wish to impersonate, and the login process involves a PIN sent via SMS to the user's mobile phone, then the attacker can easily intercept the PIN.
All these cost, integration and security problems bring us back to passwords. Passwords are well understood, inexpensive, scalable and more or less user friendly (yes, they can be a pain to remember). It's very unlikely that any organization will retire passwords entirely, never mind websites with millions of users.
The realistic alternative is to augment passwords. For example, Facebook identifies a user's endpoint device and if it's not what the user has signed in from before, asks the user to answer some security questions or identify some photos of friends at login time, to strengthen the authentication. This way, a user really authenticates with an ID (e-mail address), a password and a device fingerprint.
This adds some security to the process, at minimal incremental cost, but is also vulnerable to replay attacks. If an attacker can intercept the network traffic a user sends during a successful login session, then they will get both the password and the device fingerprint.
If Passwords Aren't Going Away, Then How to Secure Them?
First, it's important to never disclose the database of password hashes. Brute force attacks leveraging graphics processors can test millions of passwords per second, so a compromise of the password hash database very quickly degenerates into a compromise of all the passwords themselves. If a password database is hacked, users must be notified and asked to change their passwords immediately.
Next, implement intruder lockouts, so that an attacker cannot make an unlimited number of guesses for a single password. A simple rule such as ‘5 failed login attempts triggers a 10-minute lockout’ is all that's needed to stop brute-force attackers.
Finally, require users to choose strong passwords. Minimum length, mixed case, multiple character classes (letters, digits, punctuation), not-a-dictionary-word, not-your-name and so on, are all easy to understand and enforce.
Where security requirements are higher (e.g., at work, logins to financial institutions, etc.) it also makes sense to ask users to change their passwords often. This way, the security vulnerability created by a password that was used elsewhere and compromised will be automatically closed after a period of time.
So, to recap: passwords are here, and they are not going away. Manage them securely or face the consequences.
In his role as chief technology officer, Idan Shoham is responsible for defining product and technology strategy and the overall development of Hitachi ID Systems solutions. Prior to founding Hitachi ID Systems in 1992, Shoham provided network security consulting services to large organizations, including Shell, Amoco, BP Canada and Talisman Energy. He holds a master’s degree in electrical and computer engineering.