Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Solving the password problem
SECURITY SHELF

Solving the password problem 

The underlying theory is that the best passwords are random to resist brute force and dictionary attacks, not re-used across accounts in case one system is compromised, and changed regularly to reduce their lifetime in the event that they are compromised. However, this fails to take into account that humans simply can’t remember that many complex passwords.

Microsoft researchers Dinei Florencio and Cormac Herley and Carleton University Professor Paul van Oorschot concluded in their August 2014 paper, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts,” that “any strategy that rules out weak passwords or re-use will be sub-optimal.” Their paper suggests an “optimal solution for how to group accounts for re-use.”

Researchers are correct to take human limitations into account. The use of individual strong passwords doesn’t work and it is obvious to anyone who has tried. That strategy is only possible if users write them down, use password management software, or do a lot of password resets.

In some situations writing down passwords might be the lowest risk approach, as long as it is not a post-it-note stuck to a monitor. While paper can be stolen or surreptitiously copied, it is generally immune to malware attacks. Password management software is also very popular. On one hand, there is no paper to be lost, stolen, or copied by an evil insider. Some password management applications synchronize passwords across multiple devices and will enter them for the user. However, these applications create a single point of failure. If the user forgets the master password, or the user’s endpoint is compromised by malware, it’s game over.

Considering the multitude of problems, perhaps the best solution is to abandon passwords altogether?

Many security practitioners promote replacing passwords with token-based authentication devices. Software-based solutions like Google Authenticator are available for free; leading service providers such as Amazon, Digital Ocean, and Microsoft have adopted it. However, it requires a separate set-up procedure for each site and the user interface quickly becomes unwieldy.

Biometrics are often suggested as a good option because they make credentials difficult to counterfeit. While they will become the authentication of choice for physical security applications, biometrics simply are not suited for authenticating to systems across the Internet.

Digital certificates have the potential to significantly strengthen authentication systems. While users must procure and install a certificate on their devices, the advantage of certificates is that they are already designed for authentication to multiple web sites. Site owners need only trust the Certification Authority that issued the certificate.

None of these solutions even remotely approach the implementation ease, low cost, and universality of passwords. While implementing a good password system is much more difficult than it appears — as proven by the plethora of mass password disclosures — it requires no specialized hardware and works for virtually any type of application.

Solving the password problem requires taking a different approach to authentication. Passwords, authentication devices, and biometrics all have weaknesses. For example, if every web site adopted Google Authenticator, criminals would shift their focus to attacking it. Two obvious attack vectors would be stealing keys from mobile devices and man-in-the-middle attacks. Simply replacing passwords with a “better” method won’t work.

Instead of focusing on specific authentication methods, a more flexible risk-based authentication framework is required. Individual applications should offload authentication to a centralized service designed specifically for that purpose. Authentication services, in turn, must employ a variety of authentication techniques that take into account the level of risk involved, capability of the endpoint, and authentication preferences of the user.

For applications with low-risk profiles, a user authenticating with a previously known digital certificate may be acceptable. High-risk applications such as online banking should require multi-factor authentication combined with anti-fraud techniques; centralized authentication services are in a strong position to use factors such as user history, IP addresses, and geolocation to spot intruders.

A strong, flexible, multi-application authentication framework must be created with a business model that is attractive to consumers, service providers, and application developers.

Related posts