Password Security And Thoughts On Authentication Methods

We use passwords to access personal information and user accounts. With so many applications requiring passwords (e.g. online banking, shopping and social media just to name a few), it can be hard to track and at worst remember. Some applications require users to change their passwords every so often, and that can lead to users forgetting them or getting careless by writing down their password on a piece of paper. That piece of paper can later be misplaced which can lead to worse things. The problem with requiring frequent password changes and applying complexity to passwords is that it can become more complicated for users.

A password consists of a string of characters, that can include letters, numbers and special characters.

The following analysis breaks down the data structure of a valid password.

So far this is the understanding of what can be used for passwords. For example a user named 'jsmith' can create a password 'One4all&AllFOR1'.

Passwords were meant for security on an interconnected online world. The Internet has made connecting with others to communicate, transact and share information but unfortunately the Internet has no built in security layer.

This requires third-party implementations in which there is no uniform way to just sign on from one location and access any site without entering another password. This is possible within the ecosystem of a particular company like Google or Microsoft, but when you want to access another company's service there is no interoperability or sharing of security information that would allow access.

Though there are ways that allow a standard for access delegation like the Oath protocol, there is still no universal system of "sign on once and access everything forever".

As a user you may have multiple accounts online. One or more for banking, social media, payments, e-mail and group collaboration. You probably have a different password for each one, which is recommended. Others use just single password for all their online accounts.

The both have a problem though. When you need to remember so many passwords, it can become easy to forget unless you write it down or use a password manager. Unfortunately not everyone uses a password manager so they may frequently have to recover their password from the website. When you only use a single password for all accounts, if that password is hacked then it gives access to all your online information.

Security analysts in IT realized that clear text passwords are not secure. Passwords also needed to be stored more securely, to prevent tampering. In the early days of data networking, passwords were also not secure during transit. This would allow a hacker to easily use what is called a packet sniffer to analyze data packets that contain the clear text password. This was a critical issue that needed to be resolved.

The solution was to apply cryptographic methods using encryption and hashing. The communications channel between the user and the server would be encrypted using the HTTPS/TLS/SSL protocol for secure communications.

That would make it more difficult for hackers to eavesdrop on data across the network since it will now be encrypted. The password would also not appear as clear text. It now undergoes a hashing function to create a digest of the original password.

This is a one way function only, so it would be difficult for a hacker to crack the password. It would require a costly dictionary attack, but the hash value itself could take years to solve the original password that was hashed.

For example if we use the example password 'One4all&AllFOR1' and apply a SHA256 hash function, the result will be:

This is then stored in a password table, not in clear text format anymore. If a hacker were to obtain that password table, it won't be easy for them to crack the password.

These measures added to securing a system. However, it still did not prevent attacks on the system. The reason has to do with the password.

Passwords, although they provide a layer of security, are not hack proof. It only requires a person to make an intelligent guess to access a user's personal e-mail account.

The interface is public for anyone to login a username and password. This allows anyone who wants to hack in with ease to guess the user's password provided the username is known using a technique called a "Brute Force Attack".

This is also called a "Dictionary Attack" because the attacker can use a list of passwords like looking up words in a dictionary. This was one of the earliest forms of attacks when security systems were less sophisticated. To thwart this, systems administrators implemented a user account lockout for a certain number of failed logon attempts.

This prevents the use of brute force, but also affects the actual user because now their account is locked out. It would be an inconvenience since it requires contacting the systems administrator to have their account unlocked.

What if the systems administrator was not available or it was the middle of the night when no one is on duty? That can prevent users from logging in and getting to important work.

IT managers have become more responsive to these concerns. There are now security compliance policies in place that address these issues. There should always be a backup administrator on duty especially for enterprise operations which run around the clock.

With this setup, workers will always have technical support for resetting passwords or unlocking accounts. Just as security systems became more up to date to address new threats, the type of attacks also become more sophisticated to foil these measures. Passwords needed to become more complex and not easily guessed. This led IT managers to implement a password policy.

Now the implementation of password complexity becomes necessary for sites that have a public interface and best practice for any application that uses a logon screen. In the past, many users got careless and used "password" as their password.

That of course gifted many hackers and even boosted the egos of wannabe hackers due to how easy it was to hack. It was a simple attack that did not require cracking a really difficult password that takes time to complete.

Systems administrators implemented these policies as part of the operating system's own features (e.g. Windows Server) and developers used similar design for their applications. With password complexity, users will not be able to use some of the following type of passwords:

The use of password complexity prevents users from using a password like

'password'

or

'internet'

. The rules of complexity will vary from company to company but this example can show how one policy can be defined.

It becomes more complicated when admins require changing passwords as a policy enforcement. That means, let us say after 3 months the password expires. This will require users to create a new password to login, and this can be hectic and even unproductive since users will need to remember a new password (no repetition of old passwords allowed).

Instead of becoming a part of the solution, it created some new problems. Many companies do not use this type of enforcement but there are others that do.

Password policies that use complexity are good because they can force users to use a strong instead of a weak password. Even with password complexity, it still doesn't make the system fully secure. It just adds another layer.

Users can share passwords or even write them down to later be stolen. A lucky guess can still get hackers in. The problem it seems is still the password itself.

According to a Microsoft Technet blog post, there is a way to make passwords stronger by meeting analyzing its entropy, or how difficult it would be to crack a password. This difficulty is dependent on the number of bits in the password's length.

It can be shown in this formula:

log(C) / log(2) * L

C = The size of the character set
L = The length of the password

The formula states these observations (excerpt from the blog):

1.  Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used. 
2.  ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password's ability to be cracked.

The character set refers to the total number of characters that can be used for the password. In the US, here are the total possible types of alphanumeric and non-alphanumeric characters that can be used:

- Numbers: 

0-9

- Upper Alphas: 

A-Z

- Lower Alphas: 

a-z

- Special Characters: 

` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

We have 10 characters for Numbers, 26 for Upper and Lower case letters and 32 for special characters. We add it all up 10 + 26 + 26 + 32 = 94 characters. So according to observation 1, the password length makes it more difficult to crack than just the character set used.

The key to stronger passwords is a combination of length and complexity. Passwords can still be cracked, even if it takes days, weeks or months, but this layer of security adds more time to take for hackers. Eventually, security experts needed to come up with smarter authentication methods as well.

Authentication methods are implementing better security techniques to foil hackers. By combining different methods, it aims to make the system more foolproof against attacks. Instead of just requiring a password from the user, additional information will be requested as well.

This has led to the development of "Multi-Factor Authentication" (MFA) or Two-Factor Authentication (2FA) for added security. This enables additional information that only a user has like their smartphone number for authentication. With MFA it also includes the use of biometric information like a fingerprint or retina scan.

All these add to security, but doesn't help if the password is lost or forgotten. People are still required to remember a password to complete the authentication.

With MFA there are three types of methods used for authentication.

1. What You Know - This is your password. The first layer of security in authenticating the user.

2. What You Own - Your smartphone or computer. Using the smartphone number, the system can send back a code via text message for the user to enter. On a computer, a security token can be created that uses an authenticator provider (e.g. Google Authenticator) that generates a code that the user can enter.

3. Who You Are - Biometric information about the user, like fingerprint, facial recognition or retina scan. This third method can be used if there is a sensor that can obtain that information about the user. This is implemented on smartphone fingerprint readers (e.g. Apple Pay Touch ID).

This use of different authentication methods can thwart a hacker even if the password was guessed. The hacker would then have to either have physical access to the user's smartphone or computer or have the actual user's finger.

This is still not the pinnacle of security. Another method can be used for verification of a user's true identity.

For identity verification, that is tamper proof and secure, a blockchain can provide yet another layer of security in combination with 2FA or MFA. This is a debatable topic since blockchain technology is still fairly recent and have not had as much of a track record as other systems.

Its strength is in being able to quickly verify data using what are called Merkle Proofs. This is an undeniable record of verified information that is based on hash values with a root that can be traced.

The advantage of this type of system is in identification verification. Let us say user 'jsmith' claims to be 'John Smith'. A blockchain based system creates a cryptographically secure record on a digital ledger that can prove this.

The record is also transparent and cannot be modified or deleted. When implemented as part of a verification system, it can be done using a consensus mechanism. For example, let's say the user has passed 2FA, the blockchain now verifies the identity of the user.

Nodes on the network will verify this information was properly entered based on let's say the user's face or fingerprint. If the user's information does not match what the system knows then access will be denied.

If a hacker were to pass the MFA, the blockchain can block their access since identity requires verification. In the case of a blockchain, you have independent nodes that perform verification.

The good thing about having independent nodes perform a verification is it is not under one entity that can influenced. It was meant to be decentralized for a trustless environment where no one makes an absolute decision. It must be a collective effort that leads to a consensus among the majority of nodes.

Is this trustworthy and effective? It is not going to be easily explained in a few sentences, but the idea here is to have a verification system in place as a last resort to authentication. I won't go any further on this topic, since this is all in theory and not in application.

Technology evolves and when the time comes to use different authentication methods that don't require passwords, at the moment we still need them. The important thing about passwords is to keep them complex and long.

8 characters is just way too simple nowadays as hackers have more sophistication behind their methods as they learn new techniques. The next time an IT manager thinks about security, adding additional layers like MFA makes plenty of sense to protect their users. For now passwords will continue to be used so long as there are systems that require it.