Passwords are dead



I've blogged about passwords several times. It's a zombie topic, one that refuses to go away or just lie down and die quietly.

On CISSPforum, we've been idly chatting about user authentication for a week or so. The consensus is that passwords are a lousy way to authenticate, for several reasons.

First the obvious.  Passwords are:
  • Hard to remember, at least good ones are, especially if we are forced to think up new ones periodically for no particular reason;

  • Generally weak and easily guessed, due to the previous point;

  • Sometimes generated and issued not chosen or changeable by the user;

  • Readily shared or disclosed (e.g. by watching us type), or written down;

  • Readily obtained by force, coercion, deception and other forms of social engineering such as phishing or password reset tricks, or interception, or hacking, or brute force attacks, or spyware or .. well clearly there are lots of attacks;

  • Often re-used (for different sites/apps etc., and over time).
Next comes some less obvious, more pernicious lousiness:
  • Badly-designed sites/systems sometimes prevent us using strong passwords (e.g. they must be less than 20 characters with no spaces nor special characters ...; must be typed or clicked manually - no automation allowed);

  • Poor guidance on choosing passwords encourages poor choices;

  • Passwords are sometimes weakened covertly by even lousier sites/systems (e.g. we can enter complex 50 character passwords but they only actually use 6, or store them in plaintext, or use a pathetically weak or broken hashing algorithm, often without a salt ...).
In short, passwords are not a reliable way to authenticate people. As a security control, they are weak to mediocre at best, not strong ... which is obvously a concern when authentication really matters. Some sites and apps have moved to multi-factor authentication, generally passwords or PIN codes plus some other factor, such as a cryptographic token, 'bingo card' or some other piece of hardware, or software, or biometrics, or locational information (e.g. GPS coordinates) or system characteristics (operating system + IP address or IMEI).

Passwords are dead
Long live passwords

Martin from Sweden has been telling us about an interesting federated authentication system there called BankID, based around a mobile app. The app serves credentials to various Swedish organizations enrolled in the scheme, not just the bank that originally authenticated the user (using a hardware token). It allows the user to check the details at authentication time (e.g. the transactions you are authorizing). It is multifactor: you need PINs or passwords to access your mobile and the app, plus the app, plus the device, plus the keys. Presumably it has mechanisms to handle lost/stolen mobiles, and new mobiles.

It's a successful, working system, not just a model or theory.  Cool!

I'm still interested in the idea of continuous authentication, supplementing the conventinal one-time login process at the start of a session with user activity monitoring during the session to confirm that the logged in user is behaving normally, and has not suddenly started typing differently, accessing different apps and sites, gambling, making large payments to Swiss bank accounts or whatever.