Passwords are not bad, just dont trust vendors

Passwords are far from ready to die yet.
Passwords are far from ready to die yet.

Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone’s identity.

The Register reported PayPal’s Chief Information Security Officer (CISO) Michael Barrett speaking as a representative of the Fast Identity Online (FIDO) Alliance, saying:

Our [FIDO’s] intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet.

This is interesting and may appear to be a worthy goal, but we strongly disagree.

Quick primer on passwords and how you should use them

What are passwords?

First off, as a bit of a quick background, Passwords are one type of “Single Factor Authentication” and, often combined with a User ID (name, number, email address, whatever), are used to authenticate a user to a service. Other types of single factor would be fingerprints, retina scans, smart cards and the like. When you combine these factors you get “Multi factor Authentication” and this is often what most people talk about for replacing passwords.

Single factor authentication gives a basic level of assurance that the person is who they say they are and, in situations where this is insufficient you should add additional layers but bear in mind that this increases cost, complexity and poor installations are often worse than no authentication.

Generally, the more importance you place on knowing “who” the person you are interacting with, the more factors you should use, but you must use them properly.

Keep this in mind: If you implement your authentication badly, it doesn’t matter how many factors you use.

Are passwords bad?

The simple answer is “No.” Passwords are not inherently bad and the use of passwords (or more properly an ID & Password) for authentication is perfectly reasonable for 99.999% of the situations where they are deployed. In our consulting work, we encounter more situations where people have used more factors than they need, then situations where they haven’t used enough.

Are some passwords bad?

Possibly. Various security & IT related websites will regularly announce how “password” or “123456” are the most common passwords (such in this article on the Register), often implying this is why passwords are inherently broken and how users cant be trusted to select stronger passwords.

It is certainly true that using “common” or easily guessed passwords is a bad idea, and it can significantly increase the ease with which a malicious party (hacker, spy, jealous co-worker, whatever) can compromise your password, but this is normally going to be a weakness about how the authentication is implemented, rather than the actual password itself.

A “bad” password is really one which can be broken by an attacker and while this is a simple statement, the practicality is a bit more involved. If you have a login screen which allows three attempts before lock out, it is unlikely that the malicious user is going to get to “Monkey” (number 6 on the list) before the account has locked – and if “monkey” is different from “Monkey” in the system then you can be reasonably sure it wont fail when attacked.

Another issue with bad passwords is that we often look at them the wrong way round. When you see a password written down as “zaq12wsx”, it can be easy to realise this is obvious from the left hand side of a UK keyboard but unless the attacker has this knowledge they need to cycle through billions of possible other combinations.

What makes a good password?

With passwords two things are important – length and complexity. More of either is good and more of both is better. A long password will be difficult enough to compromise that most attackers will give up – as an example, a 15 character password made from single case letters will take about 53,000 years to crack (source). If you make it complex (mix of upper and lower case, numbers and other keyboard characters) you can make it even harder.

Unfortunately, sometimes systems are badly designed and enforce shorter password sequences – this is where complexity becomes much more important and the use of random generators becomes worthwhile. Despite what you may think, humans are terrible at thinking up random passwords and even worse when it comes to recognising them.

Interestingly, once you move out of the most glaringly obvious passwords (e.g. “1234”) it doesn’t really matter if you use a random generator or not, as the attacker is still going to have to brute force the keyspace to work out what your password is. This means that to an attacker “easypwd1” is just as hard (or easy) to compromise as “t8yuas1e” -even though the first one looks like it should be trivial to crack.

Keep this in mind when you visit sites that offer to rate your password strength or when security professionals try to lecture you on how passwords are broken.

The important thing for a password is keyspace which is, as we said, driven by length and complexity, randomness is a distant second (third) in this unless your attacker has access to what ever process you use to invent your password.

Can you give us an example of good passwords?

Possibly, but remember that once they are printed on the internet, they are likely to end up in a dictionary list somewhere so, rather than search for a password you want to use, take the advice here and use it to construct your own.

Password Strength -
Password Strength –

Good passwords are long and complex, but length is the most important so the oft-posted advice from works here.

Dont fixate on trying to come up with impossible to remember strings of what you think are random letters and numbers – cracking tools will easily bypass most things you can invent.

Instead, use sentences with spaces and relevant capital letters. If you must (company password policy rules etc.  use symbols then you can add them or replace letters with them but remember to keep it long. As passwords go “This is my massively long password with little complexity” is harder to crack than “ExdYx4G53PmXSH” and you are only likely to remember one of them. Obviously if it is a service you have to authenticate to frequently, you might not want such a long password or you may need to improve your typing speed.

 Should you write passwords down?

This may come as a shock but there is no automatic reason why you shouldn’t write your password down, but in a work environment you may have rules about what you can and can’t do.

It all boils down to what your threat assessment says – unfortunately when it comes to passwords, too many people fall into the trap of blindly following default rules no matter what the situation is.

For people who are responsible for developing password policy, ask yourself if your threat actors really do have the ability to read passwords written down on post-it notes next to your employees monitors. If your main threat is internet based script kiddies, then they are not going to find someone to come and work as a janitor in your offices so they can desk surf for passwords to your corporate facebook account. Seriously.

Every security decision you make must be based on a realistic threat and risk assessment otherwise it is pointless.

So, what is the problem with Passwords?

Passwords are far from perfect. If nothing else they are but a single factor of authentication   and that implies there is only a certain amount of trust you can ever give them. Passwords also have a long history so people tend to take them for granted and feel that because so much else has changed, it must mean passwords are “old fashioned” now.

This is combined with lots of high profile cracks of various databases and regular news items about how a whole directory of passwords has been dumped on pastebin or similar sites.

Is it all bad?

No, far from it. Few, if any, corporate security breaches are the result of hackers directly compromising a user password (more on that in a bit). Unless you are a famous celebrity on twitter, the chances are no one is going to bother even trying to guess your password, let alone actually manage it.

So how do the hacks happen?

The overwhelming majority of hacks are the result of other techniques (such as SQL injection) which then allow the attackers to get a dump of the password file for offline attack. This is frequently what makes the news and is nothing at all to do with passwords being unfit for purpose.

There are still some instances where attackers can subvert a password implementation but, again, nearly every instance is actually the result of something being fundamentally wrong in how the passwords are used.

How do you implement passwords badly?

For the user, passwords should be easy. For the system owner / manager, passwords should also be easily implemented (they come built into pretty much every operating system in the world) but this is frequently where things go wrong.

If you have a system which requires user authentication, you need to make sure you implement it properly.

This means things like not allowing unlimited attempts, not sending passwords in plain text over the internet, not storing passwords in clear text and not allowing trivial bypasses of your authentication steps. All of these are easily avoidable, yet account for almost all the reasons why passwords (and user identities) fall into the hands of hackers.

None of this shows passwords themselves are a bad choice of single factor authentication, poor implementation will undermine any technology choice. If anything, poor implementation of other authentication methods (or multi-factor authentication) is going to be worse because it undermines a greater assumed trust.

So, why are passwords in the news all the time?

Normally, this happens when a product vendor decides to announce their new, all singing, all dancing smartcard, finger print reader or retinal scan device.

The recent Register article is a good example, FIDO is looking to produce an authentication device that they would like you to spend money purchasing and implementing so it is in their best interests to remind people about the “weaknesses” of passwords.

Unfortunately no device overcomes the fundamental problems with poor implementations, they just become expensive ways to create a device management nightmare.

Smartcard and fingerprint readers appear to be good, but at some stage your data has to be encrypted and sent to the server for authentication – if this is done badly, it opens a clear attack channel and gives the hacker a massively enhanced level of authentication on your network.

Devices (smartcards, scanners etc.  have to be managed so you can trust what is coming in from the other end. If a hacker has your device they can spend months working out how it encodes authentication data and then use this to attack you. Token devices that get lost have to be withdrawn and replaced. You even have to consider how the user authenticates to their device in the first place.

All of this creates a huge headache and is off putting for most (non-governmental) organisations, so it is understandable that there is a commercial need to play down the utility of passwords as a single authentication factor and if they can make customers scared of anyone who doesn’t use multi-factor authentication, all the better.

But, do you really want a product vendor to do your risk assessment for you? Should you listen to the vendor when they tell you what is, or isn’t, good for your network? I would suggest not, but you might have more money than you know what to do with.

The bottom line is security must always be driven by a threat based risk assessment and you should never, ever, trust a product vendor to do this on your behalf.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.

This Post Has 2 Comments

  1. Sarah Clarke

    Sage advice. I recently posted LinkedIn discussion “Managing Risk and Enabling the Business Through Security” (Anthony Freed, 17th May) about the need to maintain board interest in the daily operation of foundation InfoSec procedures and technologies when the next media or vendor generated bit of FUD piques board interest. Very relevant to this and something all InfoSec managers need to be good at. Being the rational pragmatic voice. Pitching your best, risk based business case for funding pre-existing boring (critical BAU) stuff as well as providing a balancing view for vendor pitches. Great stuff Taz

  2. Halkyn Security

    Hi Sarah,

    Thanks for the comment. I totally agree with you about keeping the board interested.

    Sadly this is often easier said than done and vendor-FUD often ends up being the only way we can manage it. I suppose vendor-FUD isn’t always bad (it can generate proper board level support for security) but we need to make sure that it doesn’t end up diverting resources from “valuable” but mundane security and that it doesn’t end up desensitising people.

Comments are closed.