Killing Passwords: the Real Solution for Password Security

11/02/2014 / 0 Comments



Why Passwords are a Terrible Idea

You may have heard the news: it’s time to start killing passwords.

Amidst the headlines involving high-profile data breaches at major companies, and in the wake of cyberattacks that have targeted celebrities and even tech writers, data security experts have been calling for the death of the password.

The use of traditional username and password combinations is what allows hackers to compromise user accounts and use them to launch most of these attacks. In the wake of these incidents, many experts and tech writers have been calling for users to enable two-factor authentication to protect their accounts for websites and other services, but even this approach is obsolete when considering the vulnerabilities of most two-factor authentication technologies.

According to computer security company Trend Micro, which analyzed an attack that bypassed two-factor authentication for online banking, “Even advanced security schemes are vulnerable now.”

 

Understanding the Vulnerabilities of Passwords and Two-factor Authentication

Most solutions for two-factor authentication continue to require passwords as the first authentication factor, and this fails to address the fundamental and underlying problem of password vulnerability.

If the login process for two-factor authentication still uses a password, then any accounts or data that are protected by two-factor authentication will not be truly secure. Hackers can still use tactics like man-in-the-middle attacks or SIM card cloning to bypass two-factor authentication and compromise data security.

Also, most two-factor authentication solutions require that the login password and the one-time code for authentication be entered through the same login interface and through a desktop or mobile keyboard. This means that, while the one-time code may be received on physically separate device, such as a smartphone, it must still be entered through the login screen, and, thus, the security does not truly qualify as two-factor authentication. It does not use two distinct authentication factors that are truly separate, such as a password (knowledge) that is entered through the login screen and a software key that is stored and encrypted on a mobile device (physical) and verified separately through a mobile app.

Instead, the password and one-time code are merely two knowledge factors, ultimately entered the same way during the login process, and, thus, the security is merely two-step verification using the same type of authentication factor for each step. It is not two-factor authentication, which requires two distinct types of authentication factors, and an attacker can intercept both knowledge-based credentials by simply spoofing or cloning the login interface or by logging keystrokes from the keyboard. Once the attacker has stolen both credentials, they can be used to log into the intended service.

Moreover, once an attacker has stolen a username and password for one service, the combination of these two credentials can potentially be used to access many other services that the victim uses, especially if the same username and password are used for multiple accounts.

 

How Industry Leaders Are Killing the Password and Making Logins Easier

To address this problem, industry leaders are already working on new technologies that are designed to replace the password with advanced authentication security and cryptography that will make it virtually impossible for hackers to compromise user accounts and then use them to steal data, deploy malware, or compromise websites through SQL injection.

The FIDO Alliance, a consortium of companies that includes Google, Microsoft, PayPal, MasterCard, Visa, Samsung, and Bank of America, has established specifications that are driving the development of new solutions that eliminate the authentication vulnerabilities that enable data breaches and cyberattacks. The best solutions replace passwords with public key cryptography, which ensures that no passwords or credentials are entered during the login process and thus physically guarantees that there are no credentials that attackers can steal during entry into the login interface, transmission to the server, or from the authenticating server.

As an added benefit, these technologies greatly simplify the user login experience by removing the need to memorize, store, or enter long, complex passwords.

 

How ‘Strong’ Passwords Weaken Data Security

Until recently, the focus in authentication security has been on the need for each user to create a strong password. In data security, a strong password is a long password with more characters and preferably a combination of lower case and upper case letters and the inclusion of numbers and special symbols. And, of course, the user should create a unique password for each website or service that he or she uses.

Many companies and services, such as Apple Inc.’s Apple ID, now require users to meet stringent requirements for password strength and complexity before approving their password credentials.

The idea is that a complex password makes it more difficult for hackers to guess the password through manual login attempts or through automated brute force attacks. These automated attacks use botnets of compromised computers, servers, and websites to do the guessing on a large scale, driven by large lists of common, weak passwords and sets of credentials that have been stolen from previous data breaches. Using a unique password for each site or service reduces the effectiveness of these lists because the same credential cannot be guessed or stolen and then used to access other sites and services.

Unfortunately, password complexity and uniqueness is not safer or more effective. Making passwords longer and using special symbols and numbers does not necessarily make passwords more difficult to guess.

As Cormac Herley, a Microsoft researcher, told Wired Magazine recently, “The cracking software that’s out there has known about all of these tricks for more than a decade. A lot of the password completion policies don’t push people toward randomness and things that will pass 1014 guesses; they push people toward predictable strategies that will not.”

Moreover, password complexity does not do anything to prevent a complex password from being stolen and used through phishing, malware, or hacking of the server that requires it.

No matter how complex it is, attackers can potentially steal a password as it is entered during the login process, as it is entered through a spoof website used for phishing, or by simply stealing it from the authenticating server’s database.

For example, in the infamous Russian hacking case, more than 1.2 billion sets of credentials were reportedly stolen from over 420,000 websites and servers, and no amount of complexity or uniqueness kept those passwords safe.

 

How Complex Passwords Burden Users and Can Undermine Security

Complex password requirements have also created a significant burden for users, who now face the responsibility of memorizing, writing down, and/or storing lists of all the complex and unique passwords that they use.

Moreover, users must take on the task of having to enter these passwords whenever they log in, which can be an annoying and difficult proposition when the passwords must alternate between upper can and lower case letters and incorporate special symbols and numbers. It can be especially problematic for users who are connecting through a mobile device, such as smartphone or tablet, or with a device like a smart TV remote control or gaming console controller. Entering complex passwords with these interfaces and hardware can be difficult and time-consuming, and it can discourage users from creating and using sufficiently complicated or unique credentials. This ultimately defeats the purpose of password security.

As Donna Dodson, the National Institute of Standards and Technology, told Wired magazine, “Putting the burden of security on the end-user and making it more complex just doesn’t work. The security has to be usable for the end-user.”

 

Why Password Managers and Password Generators Are Not the Answer

The burden of creating and using strong and complex passwords has sparked a small industry of solutions designed to make the task easier for users, including password managers and password generators like strong password generators and complex password generators.

Password generators provide free tools that can automate the process of creating a strong and complex password that meets ideal data security requirements. But it does not address the problem of maintaining, memorizing, storing, or retrieving a large number of unique passwords for all the different websites and services that a user accesses.

A password manager is designed to resolve this. The user can subscribe to a free or premium password manager service to create and store strong passwords and then access and retrieve them when they are needed or if the user forgets one of these credentials.

This reduces the need to memorize passwords, but a password will still entered during the login process for website and services, which means that the user’s passwords can be stolen through phishing, malware, man-in-the-middle attacks, or SQL injection.

It also means that the passwords will still be stored on a server by the website or service that the user is accessing, and the passwords may be stored on a server by the password manager software as well. Thus, even if the passwords are encrypted when they are stored, an attacker could potentially compromise the server, steal the database of passwords, and use advanced tools to decrypt the data.

 

How to Achieve Total Login Security with a Simpler User Experience

To achieve total login security and truly strong authentication, the most important step is to physically remove passwords and sensitive credentials from your login process. This removes the credentials that are the prime target of cybercriminals and that they must obtain in order to compromise user accounts and then use them to launch attacks and achieve data breaches. And it also simplifies the login process for users by getting rid of the need to create, store, memorize, remember, or enter passwords or other sensitive credentials.

With public key cryptography and mobile push authentication, developers and data security professionals can deploy advanced technology that uses 2048-bit encrypted asymmetric key pairs and a simple mobile app to verify user access. Within seconds, a user can log into a secured website or service with only a non-confidential user ID entered through the login interface and a simple mobile verification process that requires the entry of a 4-digit PIN, a passcode, or a fingerprint scan through a free mobile app.

No password is required, and no sensitive credential is ever entered through the login process, transmitted to a server, or stored on a server. So there is physically nothing for attackers to steal during entry or transit, or by attempting to hack the authenticating server.

This approach delivers two-factor authentication without passwords and without the vulnerabilities that plague most authentication solutions and continue to lead to data breaches and successful cyberattacks.

An ideal example can be found in SecSign ID, a free two-factor authentication solution from SecSign Technologies, the new U.S. subsidiary of SecCommerce, which helped pioneer public key cryptography in Europe.

SecSign ID delivers a comprehensive and completely secure mobile authentication solution that allows developers and organizations to achieve maximum login security with a password-free process that meets FIDO Alliance specifications.

Best of all, when it is deployed for free in the cloud or when it is installed on-premise, on your own architecture and behind your firewall, SecSign ID makes it impossible for attackers to compromise user accounts through hacking, phishing, or malware. And any data protected by SecSign ID can stay exactly where it belongs: on your devices and servers and not in the hands of cybercriminals.

To learn more about SecSign ID, visit the SecSign ID product page to watch an introductory video and learn more details about its security and functionality. To get a free consultation on integrating advanced login security for your website, application, service, or network, visit the Contact page on the SecSign Technologies website. The SecSign ID mobile app can be downloaded for free through iTunes and Google Play, and users can test the login process using the Try It Now page on the SecSign Technologies website.

 

Do NOT follow this link or you will be banned from the site!