On 1 June, teissTalk host Geoff White was joined by a panel of authentication experts to discuss how passwords, anachronistic they might be, can be combined with biometrics and other methods so we can make do with them until something fit-for-purpose emerges
What is wrong with passwords?
Despite Bill Gates’s verdict on passwords in 2004 that they are ill-suited to the purpose they are to serve, seventeen years later we’re still having discussions on how their vulnerabilities and the complexities of how we use them can be mitigated. Although there is a lot of talk about how often passwords need to be changed, a more relevant question seems to be how a company stores them. One of the tools that can beef up passwords is hashing. Fast hashing can remove the fangs of even the strongest password, and the deepest encryption will be useless with passwords such as 1234.
Two breaches from 2014 clearly demonstrate the importance of strong hashing. The two victims were a professional networking platform and a file sharing service using Sha1 and bcrypt hashing, respectively. The first one had 98 per cent of its public data stolen, the latter only 10 per cent. Bcrypt always hashes every password with salt – adding random data to the input of a hashing function that makes each password hash unique. Meanwhile, sha1, with speedier calculations, is less secure and therefore brute-force attacks have bigger success with it. Generally speaking, a company does an excellent job with passwords and hashing if, once its passwords get out into the public domain, they can stay there for five years with less than 20 per cent of them being cracked. Deep and slow hashing is key to security, given that a standard laptop can crack hashes at a 200 billion per second rate, while, with a modest investment, you can easily get three times this speed. Even well-encrypted corporate passwords can fall victim to password spraying and credential stuffing if employees use the same password for external applications. Also, criminals subscribed to an “as-a-Service” model can commission hackers to crack passwords for them in a distributed manner, while by running AI through a multitude of passwords, they can also identify patterns of how people create them and leverage this information to make their hacking more efficient.
2FA and other ways of avoiding a single point of failure
2-factor authentication (2FA) is definitely one way forward. The choice of the two or even multi-factors, however, can make a world of difference. Although still extensively used – especially in Africa and South America, where online banking is overwhelmingly mobile-based – SMS is woefully inadequate. There are multiple reasons for this, ranging from how text messages can get spoofed to SIM-swapping, where criminals put a victim’s mobile number to their SIM-cards by impersonating them in a chat with their service provider. Alternatives to sending tokens in an SMS, are, however, readily available – seed-based authentication, where a seed is extracted from an image or the randomness of mouse movement and is used to generate one-time logins tokens is a strong option.
Users are increasingly warming to biometrics or providing a proof of “what you are”. Fingerprint and face identification have become standard features of smartphones and are widely used in online banking – other types, such as voice are catching on as well. For those, who don’t feel comfortable with authentication through biometric data for fear of being physically assaulted by criminals. there are alternative ways as well, such as authentication apps. Another criticism against hard-to-mimic biometrical data is that there is only one of it and, unlike passwords, it’s hard to replace once a breach has actually taken place.
How can state-of-the art authentication be integrated into legacy systems?
Cyber security around legacy systems comprising almost archaeological levels of software is a real challenge. There are some bolt-on solutions such as Windows Hello, but even if they aren’t viable, access can be configured to include multiple levels of authentication. It’s key that not only the use but also the roll-out of new multi-factor authentication (MFA) systems is fast and seamless. Security experts need to be aware that those working in other lines of business have no ambition to become cyber security experts themselves – they just want to tick compliance with security requirements and get on with their work. What we need is “simple complexity” providing defence in depth and a frictionless user experience at the same time.
Ease of use – the strength and weaknesses of password managers
Encryption and strong passwords, meanwhile, won’t go too far without getting the human factor right. Statistics show that the more complex an authentication system is, the more users are likely to find shortcuts around it. Password managers are great tools to cope with the proliferation of logins and passwords that best practice results in but may further complicate access to various systems and applications. Proportionality is key here: never use password managers for protecting something bigger than they are. The best way to square the circle is to remember the login to the couple of password managers or hubs you use and then look up the individual passwords in them.