Security Think Tank: Passwords alone are not good enough
In the light of the fact that complex passwords are not as strong as most people think, and that most password strategies inevitably lead to people following them blindly, what actually makes a good password and when is a password alone not enough?
Passwords should be a relic of a bygone era, yet despite well-known shortcomings, the use of password-based authentication remains as ubiquitous as ever. Passwords date back to Roman times – sentries would only allow individuals to pass if they knew the “watchword”, which was circulated daily.
Transposed to the computing world, passwords were introduced in the mid-1960s as a means for multiple users to simultaneously access the Compatible Time-Sharing System (CTSS) developed by the Massachusetts Institute of Technology. Even back then, the lack of password security was apparent, with users able to print the entire list of CTSS passwords.
With the popularity of social media, e-commerce and online banking, the amount of sensitive and critical information accessible online has proliferated exponentially – and so too has the risk of that information being hacked. Yet we have doggedly persisted with using passwords, often as a lone authentication factor, notwithstanding proclamations for well over a decade that the death of passwords is nigh.
Put simply, the purpose of password-based authentication is to validate that the identity belongs to the individual claiming it, and consequently that the individual is entitled to access the given service and carry out specified actions. However, passwords do not provide complete assurance as to an individual’s identity. Moreover, password fatigue has set in.
The chore of remembering countless passwords has led to poor password hygiene, as users opt to re-use passwords across multiple sites. Criticisms typically levelled against passwords include that they are inconvenient and have become overly complex – impeding usability, creating a negative experience for customers and raising the cost for organisations. Moreover, passwords can be guessed and easily compromise by brute force, dictionary attacks, shoulder-surfing and social engineering.
Stronger authentication needed
According to research conducted by the Information Security Forum (ISF), passwords should not be used as the sole authentication factor unless they provide the appropriate level of risk mitigation for the service provided. Passwords should adhere to a minimum number of characters, contain no more than two identical characters in a row, and combine a mixture of alpha, numeric and special characters.
“As attackers find sophisticated ways to overcome biometric security, it is important to exercise ongoing vigilance and take steps to future-proof modern methods of authentication”
Emma Bickerstaffe, Information Security Forum
In most instances, organisations are likely to require stronger authentication – particularly for high-value transactions – and may choose to replace passwords with an alternative single-factor (biometric attribute, token or card reader, for example) or adopt multi-factor authentication.
Another option is to supplement authentication methods with risk-based authentication, which calculates a risk score for each login attempt based on contextual factors (IP address, time of data and established user profile, for example) and adjusts authentication requirements accordingly.
Selecting the appropriate authentication method for a given service should take account of the risk as well as the customer experience, including ease of use and requirement to use an additional device. The mobile device has quickly become a dominant feature of access control mechanisms, serving as an authentication factor in its own right (something you have) as well as a platform to deliver other authentication factors (a fingerprint or code generated by an authenticator app, for example).
While alternative authentication factors are less fallible than passwords, some caution is still due. The ISF’s Threat Horizon 2020 report warns that biometrics may lull organisations into a false sense of security, particularly since there are no common global security standards for biometrics. As attackers find sophisticated ways to overcome biometric security, it is important to exercise ongoing vigilance and take steps to future-proof modern methods of authentication.
While we may belittle the humble password, it has certainly stood the test of time. From protecting Roman legions in the battlefield to protecting against cyber attacks, perhaps passwords are here to stay.
Read more from Computer Weekly’s Security Think Tank about password security
