Other Ways To Connect

Friday, January 25, 2013

Password perils

In the brave new world of the cloud, you need a way to prove to the cloud that you are really you and not some Romanian hacker.

This is called user authentication, and for better or worse the state of the practice for user authentication is the pesky password.

On the surface the password seems quite reasonable.  You present the program with a word or phrase that only you should know.  If you are successful, then the program can assume that all further interactions really are from you (and not your child, your neighbor, or the Romanian hacker).

However, passwords have problems.
  •  Easy to guess passwords.  You want a password that is easy for you to remember but hard for others to guess.  Your anniversary date, your child's name, or your dog's name are probably easy enough for someone who knows you to guess.  If the password is short or a standard English word, then the Romanian hacker has it in a list, and he can set up a computer to launch a brute force attack against your account.
  • Using the same password everywhere.  You want a password that is easy to remember.  You have to authenticate yourself against dozens of services now, so it seems reasonable to use the same password everywhere.  However, not all organizations have the same level of security and vigilance.  The low security, low vigilance service will get hacked eventually.  Even organizations that should know better get hacked.  For example, my IEEE professional organization had all their members' passwords released this year.  If you use the same password everywhere, an exploit at one service means that the hacker will eventually try the same credentials at someplace more interesting like Citibank or American Express.  So at least use a different class of passwords at servers with very sensitive or money-oriented services.
  • Probably the biggest threat to a password authentication approach is social engineering.  With social engineering someone talks you into giving them their password.  The person seems to have quite a legitimate reason for needing your password.  Perhaps they say that they are from your bank and they need to adjust some things for your account.  The person sounds sincere and legitimate, so you give them the requested information.  Now they are into that account and probably other accounts with the same password.
What is a person to do?
  • You could use a password vault or a password manager to record all of your account names and associated passwords.  A low tech version of this is a sheet of paper or a booklet that you keep in a secure location, i.e. not on a sticky note next to your computer at work.  Search for "password vault" on Google for lots of higher tech versions.  A software password vault will store all of your passwords and account names.  You need a master password to open the password vault.  So the one password for the vault still needs to be easy enough to remember but secure.  But with a password vault, it becomes feasible to use truly random passwords and unique passwords for each account.
  • Another approach is to use an authentication against another service as an authentication for your own service.  For example, I can log into my bug tracking service using my corporate gmail account.  Or I can log into a game site using my Facebook account.  This means you have to track fewer passwords, which is good.  But you must understand how much you trust the authentication on the original service.  For example, I'm happy to use my Facebook authentication on a game site, but I would never consider using it for my online bank account.
  •  If you read a security textbook, they tell you it is most secure to use random passwords.  20 years ago password length was limited to 8 to 12 characters, so randomness made a lot of sense.  Today almost all services allow for arbitrarily long passwords, so it makes sense to choose random phrases rather than random character sequences.  This xkcd comic makes the point very well.  You are going to be far more likely to remember a pronounceable nonsense phrase rather than a non-pronounceable nonsense character sequence.
What other options are there?
  • Biometrics are popular in movies, and things like fingerprint readers are becoming mainstream.  You can order one in most new laptops and desktops.  Biometrics catch the fancy because you cannot lose (except in extreme cases) or forget your fingerprint or retina pattern.  But biometrics work best in combination with something like a pass code.  Depending on what is being measured, biometrics accuracy ranges from 90% down to 60%.
  • Many banks (and SafelyFiled) offer an extra password or access code.  In certain situations, you must enter an access code sent to your mobile phone.  This raises the bar for the hacker.  Not only do they need to get your account name and password, they must get your mobile phone (or change your registered mobile phone to theirs).  Having to enter an extra access code is a hassle, but when used to "prove" the security/validity of a new location or new account it can be quite helpful to reduce security risk.
  • Many corporate environments use one-time passwords. An employee working away from the office is given a secure card.  He uses a PIN to access it, and it shows a password.  When he logs into the corporate server, he enters that password.  The next time he activates the secure card, a different password is shown.  This is a great solution for a controlled corporate environment, but not such a good solution for a consumer environment.  It isn't practical to have a secure card for every service you access. 
There is no "right way" to address the password problem.   Be diligent and aware of protecting your passwords.  Find a system that works for you to manage a variety of strong passwords.  Keep your ears open for new options, because authentication technology continues to evolve.
Show Comments: OR