The End Of The Password As We Know It?


When it comes to online security, it seems that reports of the death of simple password protection have been greatly exaggerated – even though there has been no shortage of security experts and industry commentators predicting its demise. Why is this, and how can we get users and service providers to take the issue of inadequate password protection more seriously?

The vast majority of Internet-based businesses still only require a username and password to provide successful access to services. Overwhelmed by the challenge of creating and remembering secure passwords for all the online sites and services they use, users typically stick to their favoured list of words and phrases – perhaps changing the odd character or two to add extra protection.

Even with the easy and widespread availability of added online security measures, such as two-factor authentication (2FA), we still cling to the simple password as our main means of online protection. There are several reasons for this.

1. Passwords Are A Nuisance

The first comes down to the changing profile of web users themselves. The democratisation and universalisation of the Internet means there are many billions of web users for whom IT security principles are a mystery. This means users unwittingly expose themselves – and often their employers – to infrastructure and data attacks.

With users sticking to the same or very similar password across all sites, it is therefore not surprising that as the number and popularity of online platforms increases, the attack surface broadens and security risks multiply.

At the same time, it is common practice among Internet-based providers to use a person’s email address as the default user name, and centralising email platforms only makes matters worse. It is therefore relatively straightforward to discover a valid login on an online platform through simple trial and error (brute force attack).

For many users, the very principle of strong passwords is seen as an irritating and overused limitation. They remain to be convinced that strong, unique passwords are crucial for the protection of personal data. You can see where they are coming from: if people’s bank cards can be adequately protected by a simple four-digit PIN, why should we expect users to protect their Facebook selfies with a ten-digit password containing a mixture of lower case, upper case, numeric and special characters?

2. How Strong Is Strong?

In reality, even so-called ‘strong’ passwords – often a requirement in businesses’ IT policies – only address a small number of security issues.

Even in a corporate IT setting, passwords that are validated by the local CISO get scribbled down on scraps of paper and stuck to the user’s screen. Strong passwords generated by the IT system get sent unencrypted by email and then stored on the user’s device forever. And who knows if the person asking employees to read out their passwords over the phone is truly someone from the IT department, as they claim?

Outside the workplace, can we trust the huge number of websites and online forums to store our credentials securely? How many of them simply send forgotten passwords via email (indicating that passwords are stored unencrypted in their databases)? How many still use an unsalted MD5-type hash algorithm, which can be easily reversed by anyone with access to ‘space-time trade-off’ algorithms, disk space and time?

The industry needs to accept that simple password protection is no longer enough. As with the bank card chip and PIN approach, we need to make two-factor authentication (2FA) the default security setting.

3. Moving To 2FA … Simples!

The principle of authentication is hardly new. RSA SecureID-type tokens have been used for enterprise security for years. What’s changed, however, is the widespread access to a perfectly good authentication device: the smartphone. With more than 60 per cent of UK adults now owning a smartphone, the incremental cost of adding authentication is practically zero.

We can achieve the same level of security as from a physical token using a simple app and a public algorithm to generate Time-based One-Time Passwords (TOTP), for example. Such passwords can be used once, are valid for just one minute and created from a constant (a highly complex common secret shared between the client and the server, which the end-user doesn’t need to know) and a variable (time).

Apps to do this are free and universal, available on all smartphones. They can store as many shared secrets as are needed for as many secure parameters that the user needs to access. It’s fairly easy to implement such systems on the server side, as the algorithms are public and freely available.

The good old password isn’t dead yet, of course. As a reminder, the three main factors used for security protection are ‘what I know’ (password), ‘what I have’ (a key, or any other object) and ‘who I am’ (such as biometric information). We’re talking here about combining the TOTP generated by the smartphone (‘what I have’) and the traditional password (‘what I know’) to create strong, two-factor authentication.

Smartphones will continue to grow in popularity, but in the meantime there’s no need to exclude those without one. One-time authentication can be achieved using text messaging; the server generates and sends the code in an SMS. This still fulfils the ‘what I have’ criterion (the phone).

4. Getting Users On-Board

What the industry needs to do is encourage the adoption of 2FA by users. We need to simplify the tools needed for strong authentication and explain its importance to users. Fundamentally, it shouldn’t be down to the latter to guarantee their own data security and they shouldn’t have to jump through hoops for the sake of it.

We are starting to see several big web companies implementing this type of authentication, and many have very good approaches which offer users step-by-step guidance to activating 2FA. These neither require end-users to use or understand obscure technical language, not do they have to wrack their brains to create or remember intricate passwords.

It may take a little time, but one day 2FA will be seen as a must-have on all web-based services, and those without it will risk losing out.

Stephane Lesimple first started using computers in the days of Amstrad, quickly becoming interested in security. These days, he can be found implementing the company’s security policy and anti-abuse tools as Chief Information Security Officer at OVH.