With IT professionals and users regularly venting frustrations about them, one might wonder why passwords have endured for so long. It turns out the ageing security measure is not so easily replaced
In August, Dropbox announced it had confirmed a breach of its database. Approximately 68 million email addresses and their corresponding passwords had been leaked back in 2012. It was another example of a high-profile website that had had its password security compromised, and a reminder of why passwords are so frustrating. With many people complaining they are both inconvenient and insecure, one might wonder why there isn’t a better alternative.
Industry luminaries have long been warning passwords will eventually go the way of the floppy disk. In 2004, at the RSA Security Conference, Bill Gates famously declared passwords would soon be dead: 12 years later, his prediction is slowly coming true. At its I/O conference in 2015, Google announced Project Abacus – a complex series of checks that would gradually replace passwords on Android devices. Yahoo removed passwords from its Mail app in 2015. Apple now lets users unlock their computers by holding their Apple Watch close by.
Industry luminaries have long warned passwords will eventually go the way of the floppy disk
Despite these efforts, passwords remain a primary security measure across services as critical as bank and email accounts. Unfortunately for people who hate them, a decent replacement just doesn’t exist yet.
Security or usability
Oliver Farnan, a security researcher at the University of Oxford, said any security measure is always a compromise: “In security academia and security research, there’s always this battle with security on one hand and usability on the other. It’s easy to make things really, really secure.”
If security were the only concern when it comes to protecting user accounts, there would never be any breaches. Potentially dozens of varied measures could be used; more than enough to deter even the most dedicated of hackers. The problem is that, for every security measure, another layer of inconvenience is added. Farnan said putting up several security measures would make a website like Facebook totally unusable.
“You could make it more secure by requiring two-factor [authentication] on your phone, you could make it more secure by having a fingerprint scan, you could even make it even more secure by, say, sending Facebook a letter saying ‘I want to log on at this time’. Adding security is quite easy – the problem is you want to add it in a usable way.” By Farnan’s reckoning, this is the main reason passwords have stuck around; they strike a good balance between security and convenience.
Are, have, know
There is by no means a shortage of alternatives to passwords available. The Samsung Galaxy Note 7 has a built-in iris scanner, and since the iPhone 5S Apple has included a fingerprint scanner on its devices. Banks sometimes supply a key generator to limit access to people’s accounts, and many services are now using notifications on smartphones to authenticate login attempts. None, however, match the core qualities of passwords.
Fundamentally security measures work by confirming one of three things: ‘something you are’, ‘something you have’, or ‘something you know’.
‘Something you are’ is simultaneously the most and least convenient. The benefit of using something that you are (like your genetic material or fingerprints) as a security measure is that you always have it with you. You can’t forget it, you can never leave it behind and you don’t have to worry about someone stealing it. For many people, biometrics seems like the future. That is, until the inevitable hack. No security database or measurement is totally secure and, if widely adopted, a leak at some point is almost a certainty. If your fingerprint or iris information is made public, any account that used it has, at least theoretically, been compromised. And unlike passwords, you can’t just reset your fingerprints.
‘Something you have’ suffers from a similar issue. Whatever the thing in questions is, whether an access card or a mobile phone, you run the risk of losing it or having it stolen. It is also the most expensive and inconvenient to replace, as it involves a physical object.
Lastly, there is ‘something you know’. It cannot be stolen, it can be easily changed if it is compromised, and it doesn’t cost anything. On the user’s side, the worst that can happen is forgetting it. It’s this balance of security and usability that has allowed passwords to endure for so long. If perfectly implemented, the humble password cannot be matched.
Best of a bad bunch
Despite their benefits, passwords do have many issues. Farnan said many security researchers are cold on the idea of passwords, thanks to the security measure’s vulnerability to a number of different attacks. One of these is the interception of a network, where the content of a password is copied as it is being transmitted. However, though this is a possibility, modern transmission security standards make it uncommon.
Another threat is guessing attacks, a particular flaw of passwords supported by security questions. If a celebrity’s email or iCloud account has been breached, it was probably a result of a guessing attack; well-known people are particularly susceptible to such attacks since the information hackers are guessing – be it their mother’s maiden name, the name of the town in which they were born, or something similar – may be publicly available. For the average person, this is less of a concern; brute force attacks, where the attacker submits guesses in rapid succession, are more common.
However, Farnan said this is more or less a solved problem, thanks to lockout timers: systems that make users wait before having multiple attempts at entering a password. “So, if you fail your password three times, you’re locked out 30 seconds. If you fail it the next three times, you’re locked out for five minutes. If you fail it the next three times you’re locked out an hour. And with that you very quickly get this huge superlinear increase in time. You very soon find yourself in time periods where it’s not practical to guess any more passwords.”
The FBI found itself up against this defence when attempting to gain access to the iPhone 5C of San Bernardino gunman Syed Farook. The FBI requested Apple remove the feature through a private firmware update, allowing them to launch a brute force attack. While the FBI eventually got the password through other means, the case proved lockout timers do provide an effective defence for the average person. Making passwords longer or more complex also increases the amount of time it takes to mount a brute force attack.
Hash and salt
The last problem with passwords, and the reason behind password leaks, is the use of out-of-date hashing algorithms. If a service is doing its job correctly, it won’t actually have a copy of passwords on file, instead holding the result of a hashing algorithm: a complex equation that takes a password and converts it into a long string of characters. This is done through a pseudo-random one-way process, meaning the operator of a password service never has to store your password, but rather the resultant hash. The process is supposed to be impossible to reverse thanks to the inclusion of extra random characters in the equation, called ‘salt’. If you hack into a database of passwords, unless you can find a way to change the hash back into the original code, your information is worthless.
If a company updates its password hashing algorithm, it needs users to create new passwords
However, while it does take a substantial amount of work, hashes can be compromised, requiring companies to update their security measures. It’s not hard, but many still fail to update old systems, allowing passwords to be determined from leaked data. Farnan said this is due to a lack of awareness on the part of developers.
“This is something you come across working in security firms; developers work on something until it works. Their priority is their deadline, their budget; they want the easiest solution they can get in the time they have. They may not have security training. I’m happy talking to a developer and telling them what security algorithms they can use, or should use, when storing passwords. The problem is those security algorithms may change over time. Maybe we’ll have an advancement in cryptography or something like that and we’ll recommend switching to a different algorithm. It’s difficult for non-security-focused developers to keep on top of those changes.”
Since responsible website operators don’t store a copy of passwords on-site, if a company updates its password hashing algorithm, it needs users to create new passwords. This was what caught Dropbox out – people who hadn’t changed their passwords in a long time had them stored in a compromised format. Having passwords expire after a given amount of time would have been enough to fix this vulnerability.
Keep it together
Farnan said that, while some security researchers don’t like the idea of passwords, he is mostly supportive of keeping them as a primary security system. All of their problems are more or less already solved, as long as developers put in the work. Even the seemingly bad habits of users aren’t that much of a concern.
“Security researchers and people who work in security like to moan about users and say things like ‘education is key’, and I think that’s true, but at the same time I think often users make quite good security decisions based on the information they have.”
Farnan said many people have a hierarchy of common passwords they use, saving unique and complex ones for accounts that matter more, such as the one with their bank. Weaker and less complex passwords are usually used on accounts that are less critical, like a login for the comments section of a news site.
However, perhaps the biggest thing stopping companies ditching passwords is the extra attention that would attend something going wrong with a new system.“You’re screwed, you’re the one caught with your pants down because you used a non-standard system”, said Farnan. “So there really isn’t much motivation for individual organisations to switch to revolutionary new systems.”
In the future, Farnan said, he could see two-factor authentication playing a bigger part in security measures. Thanks to the prevalence of smartphones – which are quite powerful computers in their own right – users can run a number of different cryptographic functions remotely. Confirming login attempts on your phone could become far more common practice, especially as stealing someone’s password and phone at the same time is no easy task. In the end, such developments will be in support of passwords instead of replacing them, with a secure email account always being the key to resetting any other account should a person lose their phone.
Another possibility is an increase in the number of companies that use login information from other services, such as using a Facebook account to access Spotify. The benefit here is a reduction in the number of points where passwords can fail, since larger companies like Google and Facebook have more resources to dedicate to security. It’s also far more reasonable to expect users to remember one complex password than a dozen. Still, users would be putting all their eggs into one basket, so to speak. For those sick of passwords, a password manager program that automatically generates and saves complex passwords should remove a lot of hassle. Hate them if you must, but passwords remain the best of a bad lot.