Blog Post on Passwords Triggers DebateReactions to 'Why Are We So Stupid About Passwords?'
A recent blog post by Managing Editor Mathew J. Schwartz, "Why Are We So Stupid About Passwords?" raised a number of issues about the ongoing risks involved in using passwords for authentication. Following the post, comments came flooding in. Below is a summary of the lively discussion.
See Also: Secure Access in a Hybrid IT World
Krista Haas - Authentify
"Passwords are liable to be with us for some time to come. Instead of re-thinking passwords and how they are protected "at rest", how about re-thinking the entire end user authentication process. FIDO is interesting, but still a login authentication? What if the authentication process were sprinkled throughout an end user session instead of entirely at the front door? Implementing multi-factor authentication at other points besides the initial login would add the necessary friction to prevent account takeover, but also preserve convenience and user experience. No user wants to have to clear five authentication hurdles simply to log in. Adding authentication throughout a user session can strengthen security. For instance, a second authentication when a change is made to an account password or e-mail account, preferably an out-of-band second factor like a phone confirmation, would prevent an attacker from gaining complete control. Adding authentication at control points throughout a user session will improve security well beyond what stronger passwords and 2FA at login will do."
"What if you store all your passwords in one place and then the password protecting the vault is released by an insider?"
- Mangelinovich (in reply to Krista Haas)
"Preferably an out-of-band second factor like a phone confirmation would prevent an attacker from gaining complete control. Not really, because a Trojan exploit can put you on a fake site while keeping the real site open so anything a human enters, including a PIN code from a phone call, is easily stolen and immediately re-entered on the real site to gain access. Anything an end user must enter to gain access is useless because any of today's Trojans can and will steal them."
- William Hugh Murray, CISSP (in reply to Mangelinovich)
"Anything built by man, can be defeated by man. Note this is an argument that is used almost exclusively against security mechanisms that one is not already using. If it was the final statement on security, we could all close up shop and go home. Yes, there are effective attacks against out-of-band one-time passwords. That is not a sufficient reason not to use them. They reduce the attack surface and they increase the cost of attack. However, most important is that one successful attack does not reduce the cost of subsequent attacks as with the compromise of a reusable password. As with most security mechanisms, they are efficient without being one hundred percent effective. Out-of-band one-time-passwords should be used in combination with evidence about the origin of the transaction that does not rely upon user input, out-of-band verification of transactions, and other 'back-office' controls. There are no 'silver bullets.'"
- Mangelinovich (in reply to William Hugh Murray)
"For Out-of-Band, make the phone call to verify your transaction. Anything you must enter is useless against today's online exploits be it Keylogging or Phishing they are just too easily stolen. I agree there are no Silver Bullets but whatever you must enter allows the gun to be taken from you before you can even load it with buck-shot."
- Randy Jones (in reply to Mangelinovich)
"Your throwing around the word useless a lot in these post which is really absurd. FIDO's research shows that 76% of the attacks come from weak or stolen passwords. It is all about reducing the attack surface and removing 76% of the attack surface is not useless in my opinion. One company, PhoneFactor does not give you a PIN to enter via the keyboard so no logger will be able to capture the response. The response is given on the phones keypad. I helped an acquaintance of mine stop a stalker completely by showing him how to implement the 2 step auth in Facebook. At least do something other than just a password that can be brute force attacked even if it is just a long password. Password under 16 characters are open to brute force attacks so even if you don't have access to a second step in your authorization have a long passphrase and use a password safe like KeePass that you can securely store encrypted passwords."
- Mangelinovich (in reply to Randy Jones)
"Verizon did the study that found 76% of Network intrusions were stolen Passwords. How is a Password 16+ digits long going to stop a Trojan Keylogger from stealing it? You can certainly enter a Single-Factor Authentication or something you KNOW but you best also have a Second-Factor Authentication that is based on something you HAVE and not entered by you."
Jamie H "'It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials,' says TK Keanini, CTO of network security firm Lancope. Apparently the Sony hack was aided by insiders with access to passwords. What if you store all your passwords in one place and then the password protecting the vault is released by an insider? The answer is to put middleware between the systems requiring protected access and the users that are expected to access them, remove the visibility to the password, reset it frequently and you eliminate a large number of weaknesses."
- Mangelinovich (in reply to Jamie H)
"A Password Manager creates a single point of failure. However, it is better than entering your own password. I would not use a Password Manager to access my bank account!"
- William Hugh Murray, CISSP (in reply to Mangelinovich)
"Well, I might, but I might not use the same machine for banking that I use for e-mail and browsing. Horses for courses."
"One of the most prominent security holes facing computer users today is user maintained passwords or keys. ... The present paradigm requires the user to 'remember' their key for future use and, unfortunately, the average human brain just doesn't remember complex patterns all that well."
William Hugh Murray, CISSP
"Wrong question. No amount of attention to detail will make passwords work. Passwords, i.e., shared secrets, are a fundamentally weak form of authentication that does not scale well. They are vulnerable both to disclosure and replay. Biometrics are only marginally stronger. Both should be used only as a secondary form of evidence in a system of strong authentication, i.e., at least two forms of evidence, at least one of which is resistant to replay. See Google Authentication for a good example."
- Mangelinovich (in reply to William Hugh Murray, CISSP)
"Be careful because Google 2-Step Authentication is a Password and a OTP from your phone, which are both easily stolen, since you must enter both. The Google Authenticator is a Token providing a OTP and it is also easily stolen because a human must still enter it. When Google first provided these solutions they called them Two-Factor Authentication and I asked them to explain what the user has for the second factor, and since then, they have re-named them 2-Step Authentication because you are really entering two single factors or passwords, which are not secure and not based on something you have."
"One of the most prominent security holes facing computer users today is user maintained passwords or keys. The reason I say 'user maintained' is that the present paradigm requires the user to 'remember' their key for future use and, unfortunately, the average human brain just doesn't remember complex patterns all that well.
In order to address this problem there must be a way to allow for the generation and use of complex keys and yet be simple enough for the average person to remember. What a person can more easily remember are things that are associated with themselves, such as:
- Pictures they took or were given;
- Documents they wrote or read;
- Audio recordings they may have made or listened to;
- Movies they may have watched, etc.
Given the above list of 'things' or resources that a person can associate with and thus remember the details, then we can use this fact to build a paradigm that can utilize that memory mnemonic to create cryptographically complex keys.
Imagine if the user was presented an image that they could indicate 'hot spots' on and that the system could use that indication as their key? That technology already exists in gesture based key systems but, unfortunately, those concepts, although very easy to use, are just as weak as today's password based systems for the same reason: too limited a combination of gesture possibilities.
Now imagine though, taking that idea to the next level and not focusing on the simple gestures but taking the raw data of the resource underneath the gesture. The same paradigm of 'hot spot' indications can be used. In doing so the key becomes highly complex in that it is now not just a small sequence of indicators but a far larger set of binary data in the 10s to 100s of kilobytes. Bear in mind that the sequence they used to select the 'hotspots' or segments is also important as the key is developed from the raw resource data in the same selection sequence.
Such a complex key can now be used to highly encrypt data and yet still be easily memorized by the user since they are using memory mnemonics that are relevant to themselves.
Take this one step further and allow the user to utilize multiple images from multiple sources. You have just increased the complexity of the possible keys exponentially.
Take this another step further and allow the user to utilize ANY type of resource as mentioned earlier: images, documents, audio clips, video clips, etc. Literally any digital resource that can be presented to the user in a usable way can be used to generate said complex yet memorable keys.
Such a system of key generation and authentication is:
- Very simple to use;
- Is based on the user;
- Is oriented on resources;
- Is a segment driven architecture.
Such a system is a simple, user based, resource oriented, segmentation architecture."
- Mangelinovich (in reply to Richard B)
"Imagine an Authentication solution that as soon as you enter your Password and it is verified by the Authentication server and then the server instructs the user's client to pull up the last dynamic virtual token it sent the client and automatically generate a new dynamic virtual credential, encrypt it, and then send it to the server for validation. The virtual credential would be monitored at both the client and server ends and this process would all be invisible to the user. So the only thing the user enters is their Password and the user's client sends the Second Factor for strong Two-Factor Authentication. Kind of sounds like a Smartcard solution but without having to carry around a Card and Reader or a USB Token and a lot more secure than the segmentation architecture solution you described above."
- William Hugh Murray, CISSP (in reply to Mangelinovich)
"I like these kinds of challenge-response systems. However, they must be carefully designed and operated and may carry a burden at enrollment time. As with most such mechanisms, they should be used as one form of evidence in a system."
"To answer the question in the title, it's because passwords are stupid. They served a point at one time, just like mailing a letter with ink/paper did. The world has moved past writing letters, and we need to move past passwords."
William Hugh Murray, CISSP
"More than twenty years ago I tried to get a NIST advisory panel on which I served to adopt a resolution that said 'continued exclusive reliance on reusable passwords should be discouraged.' The awkward wording was a futile attempt to get around the resistance. I did not understand the resistance then but I bet I could not get a consensus for it even now. I recall that the strongest resistance came from the NIST staff supported by my one IBM colleague on the panel."
"To answer the question in the title, it's because passwords are stupid. They served a point at one time, just like mailing a letter with ink/paper did. The world has moved past writing letters, and we need to move past passwords. Of course, I'm speaking in very broad generalizations using trivial language to make the point (not to disrespect the conversation)."
Jim Bray-Old School Security
"Back in the 90s we used a system called Defender that required you to login to it and then it would call a specific telephone number to authenticate the session. If you did not answer the phone and enter a PIN you could not log on to the network. How simple is that, The only way the criminals could defeat that is to hack Defender its self."
- Randy Jones (in reply to Jim Bray)
"Modern version = PhoneFactor, this allows a truly second factor not entered via the users keyboard or any other input device that could be intercepted."
- mangelinovich (in reply to Randy Jones)
"Okay, a Trojan will put you on a fake site and will automatically move your IP Address as well as eliminate all of your client's cookies. As you enter your difficult credentials on the fake site they are Keylogged and immediately re-entered by the Trojan onto the real site. Once the Authentication Server validates your credentials it places the Phone Factor telephone call to your phone and you hit the # sign or enter your PIN on your phone. What happens next? It grants access to your online account! Who has your online account?"
"It's not just a matter of passwords, it's how the password is linked to an identity which, like passwords, tend to be reused as identifiers for multiple services and both of which are 'something you know'. Experts and analysts alike recommend the use of two/multi-factor authentication solutions. Two/multi-factor authentication is defined as:
- Something you know (username & password)
- something you have (token, smartcard)
- something you are (bio-metrics)
Unfortunately, the something you know is typically augmented by another something you know such as an OTP. Sure you may receive the OTP on something you have such as a token or mobile phone, but the OTP is itself still only something you know (albeit for a limited time) which is vulnerable to interception.
What if we twisted the standard definition of two/multi-factor authentication to follow the order of:
- Something you know
- something you have
- something you are
This is the order of authentication when you use a debit card. If you don't possess the debit card, the PIN is useless and vice-versa.
Why not follow the same process for logging on to applications/websites and eliminate the username and replace the identity with 'something you have' which can only be used in conjunction with 'something you know'. Then further safeguard the identity associated with the 'something you have' through encryption, fragmentation, and dispersion of the fragments in the cloud.
We think that's the best approach."
- Mangelinovich (in reply to WWPass Corporation)
"Good Method! Note: Smartcards and USB Tokens do exactly what you are discussing. The problems, especially for Financial Institutions, for both types of Hardware are mainly cost plus the inconvenience to massively issue and use. For commercial use, more companies are disallowing access to USB Ports. There is a Patent solution out there connecting these solutions to the microphone jack but users still do not want to carry around additional Hardware. However, there is also a Software solution available that does exactly the same thing that costs almost nothing and is basically invisible to the user's."