The Trouble with Passwords
With our new normal of a virtual workforce and resulting security breaches, we’ve been forced to answer the question, “Do passwords really work?” Which begs the second question, “Are we simply fooling ourselves into believing that complex passwords reset every 90 days can provide a solid foundation for security and privacy?” As our workforce remains remote, and we have yet to see more than an occasional glimmer of light at the end of our long, pandemic tunnel, the use of VPNs and remote access and collaboration tools has become the new normal for many of us. Securing our data and infrastructures remains a critical goal, and authentication is a key component. Passwords, unfortunately, can give us a false sense of security, and this article will talk about why that is. We will explore the history of passwords, why highly complex passwords may not be a very good idea, what the future of system authentication looks like, as well as some quick tips to increase your organization’s level of security.
The Fascinating History of Passwords
Passwords are one of the oldest forms of verifying someone’s identity. Their usage dates to ancient times, when it was important to know whether the one who approached was friend or foe. Militaries coined the term “watchword” to indicate a special word or phrase that would identify a stranger. The challenge, “?” was announced and the secret word or phrase would be the response to gain access to, for example, the castle.
Later, when medieval guilds formed and the first “secret societies” came into existence, passwords, and even secret handshakes, became a way for members to gain entrance to meetings and ceremonies. These groups also may have been the first to use so-called multi-factor authentication, since membership in many guilds required specific skills and best practices unique to the community. In fact, the term “trademark” comes from this very practice. A guild mark would identify the work, and certain aspects of the resulting product would confirm that identity. One common trademark still seen today is in brickwork. Different bond patterns identify the masonry, and things such as color and texture can further confirm its origin.
Fast forward to the early internet, which was originally designed by the U.S. military as a means to share digital information over vast geographic distances quickly, there was a distinct need for security. This security came in the form of both cryptography (the art of writing or solving codes) and authentication (the action of verifying the identity of a user or process). Thus, the idea of a network password was born, which a user would use in conjunction with a unique identifier (their username) to gain access to certain information. Really, the digital version of, “Who goes there?”
Password Use and Hacking Today
So rapid was the expansion of the internet once it was handed over to the control of private citizens that the use of passwords became the standard veneer of perceived security across our digital landscape. Few, if any of us, even question the need for having a unique username/password pair for every resource we access day in and day out.
The notion of complex and/or long passwords has been advanced over the years because we as humans tend to choose words that are easy to remember. Simple passwords, especially those with some semblance of meaning to the user (our children’s names, pet names, birthdays, and street addresses) are much easier for attackers to guess, and unfortunately, render our passwords ineffective in protecting our data. However, forcing users to create passwords with multiple character types (lower case, upper case, numbers, and symbols) has led to an even more vulnerable practice: writing passwords down.
As a result, many administrators began forcing their users to change their passwords frequently, and even went so far as to limit how often a password could be reused by a user. Such efforts proved effective for a time, but attackers found more sophisticated ways to get around these advancements. Advanced tools, such as password dictionaries, files that contain lists of thousands or even millions of potential passwords, and brute force applications, which use scripts to quickly try out numerous password combinations to bypass the authentication processes, continue to evolve, making even seemingly complex passwords relatively simple to unravel.
The Next Generation of Security: Public / Private Keypairs
This evolution in security (and attacks) has led to a couple of important advancements in the world of password authentication. The first solution is the idea of using public/private keypairs as a form of authentication. A keypair is a cryptographic method for authentication which has been in use for a long time to validate the identity of website ownership on the internet. In a nutshell, when two entities wish to pass sensitive or secret information to one another across networks, they can use cryptographic keys to do so. The problem that needed to be solved for this approach to be truly secure was to ensure that no third party could actually read the data being passed back and forth.
In order to accomplish this result, the idea of a public and private set of keys would be used to establish the communication channel, and then the channel would be encrypted. The party providing the information generates this keypair and maintains the secret, or private key. This key is the decryption key. The other, public key is provided to whatever party needs to communicate securely. This is the encryption key. When a user wants to communicate securely, they simply request that a certificate of authenticity be presented by the data provider. This certificate is “signed” by the private key and presented as proof that the provider is the true entity. The public key can then inspect this certificate and validate it. Once their identity is confirmed, temporary session keys are created to begin encrypted, secure communication. It is an effective, if inelegant, solution.
A further issue exists, however, and that is whether the requesting party should even trust that the provider is legitimate. This issue gave way to the rise of organizations that could issue and sign identifying certificates, known as “certificate authorities”. This need created an entire industry on the internet mostly so that we could rest easy that providing our credit card information to an online retailer would not result in the immediate exposure of our information to prying third party eyes. With some notable exceptions (for example, Thawte was famously breached in 2008 and issued a rogue certificate for Microsoft’s live.com domain), this solution has been successful.
Applying Public / Private Keypairs to Passwords
But what does this have to do with passwords? Well, a lot of the same logic can be applied to identifying users, only in reverse. That is, a user could present a signed certificate to a network resource to prove identity, along with a PIN, and establish secure communications. The U.S. military has been using this method for some time in the form of common access cards (CAC). Each CAC contains a certain number of signed certificates that allow a user to access various resources, based on their assigned roles and responsibilities. The beauty of this solution is that rights can be added with additional certificates, and rights can be quickly revoked by the signing authority without the need of even having physical access to the CAC.
Defense through Multi-Factor Authentication
The second method of authentication is what is known as multi-factor authentication. This is a term that has become more and more common among many organizations, and chances are nearly everyone has encountered some form of this method either at work or online. The idea behind it is what is known as “defense in depth”—the notion that no single form of authentication is sufficient to provide good security. Thus, users are expected to have a second, or even third, form of identification that must be presented in order to gain access. This method is divided into a few categories: something you know, something you have, something/somewhere you are, and something you do. In order to be considered “multi-factor”, two distinct categories must be attained. The most commonly used multi-factor method online is to use a password (something you know) along with a generated code which is often texted to the user (something you have). In our work environments, hardware or software tokens might be distributed to generate the code.
These methods can extend to lots of different areas of security and identification. Commonly, in data centers and other secure sites, biometric scanners exist (something you are). For years, I was required to not only memorize multiple PINs but also provide either retinal or vascular identification, the analysis of the patterns of blood vessels visible from the surface of the skin, when entering certain secure areas of the data center where I worked. This requirement was in addition to providing actual identification (my driver license) and my handprint just to enter the building in the first place.
Multi-factor authentication is something that nearly every online resource now supports, and if you haven’t already done so, you should establish multi-factor authentication within your organization wherever possible. You might even go so far as to reconsider those vendors and applications that do not support it in favor of platforms that do.
Another layer of security that can be used to supplement passwords is the use of a so-called password safe also known as a password management platform, which assists in generating and retrieving complex passwords and potentially storing these passwords in an encrypted database or calculating them on demand. These tools allow users to create and store these complex, unique passwords, retrieving them only when needed. This type of solution eliminates the need to memorize tens, if not hundreds, of unique passwords.
The Future of Passwords, Authentication, and Organizational Security
A lot of speculation on the future of authentication has been advanced, especially this year as we all continue to work remotely, and the need for better security continues to increase. Do passwords actually work? In a word, maybe. On their own, with no strict policies to make it harder to guess or crack them, passwords are more security “theater” than actual defense. Without the use of strong encryption and multi-factor authentication, even strong passwords don’t stand a chance against threat actors with tools and experience that far outpace the knowledge and skill of even many savvy users.
Layering security beyond the basic username/password model can provide a solid foundation to ensure resources remain protected. It is possible, likely even, that the traditional password model will eventually give way to more sophisticated authentication models and cease to exist. Interesting new technologies, like blockchain (essentially, decentralized authentication – read more here on how blockchain is changing how we look at passwords) could be leveraged in place of older, centralized authorities to further limit large scale exposures of user data. While much of the news about authentication and user security focuses on the negative, it is good to remember that there are a lot of security professionals who spend their time focusing on how to better secure our information and ensure that we can access the resources we need; and it’s worth educating ourselves on new and emerging ideas and technology that help us stay secure.
Now…go update your passwords.