By: Taylor Armerding, Software Security Expert at Synopsys Integrity Group
No password is secure. With so many password alternatives now available, such as FIDO and password-less authentication, we can get rid of passwords for good.
By now, the litany of exhortations about passwords should be familiar to anybody with an online account:
- Make them long and complicated.
- Use a mixture of letters, symbols, and punctuation.
- Change them every few months.
- Don’t ever — ever! — use the same password for more than one account.
And if you do all those things, not only will you be an outlier (since the majority of users don’t do them), but you will also be more secure than the clueless masses who use “12345,” “admin,” “passw0rd” or the same semi-complicated one for every account they have.
Just not by very much.
No passwords are secure
That’s right. Virtually every expert on the topic has been telling us all for more than a decade — not just during every annual National Cybersecurity Awareness Month — that passwords are a lousy, obsolete way to secure anything online.
Microsoft Chairman Bill Gates promised the demise of passwords more than 15 years ago, at the 2004 RSA Conference, because “they just don’t meet the challenge for anything you really want to secure.”
And it makes increasingly less sense to rely on them now when today’s password alternatives are better and even more convenient.
It was more than six years ago that the Defense Advanced Research Project Agency (DARPA), a research and development arm of the Department of Defense (DoD), issued a “broad agency announcement” seeking research proposals for developing biometric authentication through analysis of various activities and behaviours — keystroke patterns, mouse use, sentence structure and use of language — that add up to what the agency calls a “cognitive fingerprint.”
As DARPA put it, “The application is trying to identify you by looking at all available aspects of you, not just a single sensor connected to the device.”
The FIDO (Fast IDentity Online) Alliance has been working since its founding in 2012 to supplant passwords with what it calls “an open, scalable, interoperable set of mechanisms” for secure authentication.
Those mechanisms are designed to go beyond “something you know” (the password) and rely more on “something you have” (token or wearable) and “something you are” (fingerprint, voice, face, iris). Those recognition mechanisms are stored only on the user’s device. Passwords are “shared secrets” that reside on both the device and on a server that, as we all know, can get hacked.
To compromise those non-password authentications, an attacker would have to get physical possession of the device.
Phil Dunkelberger, CEO of Nok Nok Labs and a founding member of FIDO, has said more than once in the past that the username and password paradigm “was never designed for, and is inherently incapable of addressing, the use cases of modern society.”
That doesn’t mean it doesn’t help at all to follow what is considered good password protocols. But doing so shouldn’t give you a false sense of security.
“Strong passwords” is an oxymoron
Brett McDowell, former FIDO executive director and now executive director of the Hedera Council, has labelled the term “strong passwords” an oxymoron, no matter if the little bar changing from red to yellow to green makes you feel better when you are creating one.
Complex passwords are little better than simple ones, he has said, because “as long as the password is the key to get us into our accounts, users will be tricked into giving that password to the wrong party.”
Even multi-factor authentication (MFA) that includes passwords doesn’t improve things much. “MFA offers to improve the situation until you recognise that with a single point of failure, it really doesn’t add much to authentication security,” said Tim Mackey, technical evangelist at Synopsys.
Mandatory changes lead to weaker passwords
Experts are also increasingly adamant that the “change your password regularly” mantra needs to be consigned to the dustbin of history. The reason? When people are forced to change their passwords regularly, they tend to use weaker ones. They make small changes to the old ones, which ends up making security weaker, not stronger.
NIST (National Institute of Standards and Technology) eliminated forced password resets as a best practice three years ago.
And security guru, author, and blogger Bruce Schneier denounced a column in USA Today last year that recommended changing passwords every six months. “No, no no—a thousand times no,” he wrote on his blog.
Beyond all that, Mackey notes another reality: “Humans aren’t computers and don’t want to remember different passwords for different sites,” he said. “So we end up with simple passwords meeting the barest of complexity rules — ‘Passw0rd’ anyone?”
And he said online sites make it even worse by having different rules for creating passwords. “Several websites I use don’t allow certain special characters. Clearly those characters posed a problem for their developers at some point, and rather than remediate the blocker, they decided to have the users work within the limitations of their system,” he said.
“This means that users need to remember the password rules for each site, which in turn means they will simplify things to a least common denominator.”
Websites moving toward password alternatives
But, lousy protection or not, passwords haven’t gone away. They remain the primary method of authentication.
Even Andrew Shikiar, executive director and chief marketing officer of FIDO, acknowledges that “passwords persist because they are ubiquitously available across all the devices we use every day — any web service provider can easily add password login functionality to its website.”
That is changing — incrementally but steadily. The latest FIDO standards, known collectively as FIDO2, were designed to be built directly into operating systems and web browsers. About a year ago, they had been built into Windows 10, Google Play Services on Android, and the Safari, Chrome, Firefox, and Edge web browsers.
Since then, Shikiar said, “Microsoft announced in July that users could sign into Azure AD with FIDO2-based password-less sign-in. Just a month later, Google announced that FIDO2 technology has enabled users to get rid of passwords altogether on some devices. We expect that more services will follow a similar path.”
Increased use of FIDO in mobile apps
Walter Beisheim, chief business development officer at Nok Nok Labs, said the use of password alternatives goes well beyond browsers and operating systems. “The majority of FIDO adoption thus far has been in mobile apps, where the transition to password-less support typically does not change the user experience — it only relieves password frustration, while providing better security for consumers,” he said, adding that “the most recent U.S. mobile app solutions have been put in place by recognised brands like T-Mobile and Intuit.”
And McDowell has noted several times in the past that the new authentication model is not only much more secure but is also easier and faster to use.
“Users of FIDO-enabled devices simply verify themselves to that device and then that device cryptographically signs authentication challenges from the online application,” he said, adding that the user can do that with a single gesture — a fingerprint, looking at a camera or speaking a passphrase — which is obviously much easier than tapping a password into a tiny device.
How to go beyond password basics
But between now and when passwords really become as rare as phone booths, users can and should do a few things beyond the “strong, unique” password basics.
One is to use a password manager, which holds all your passwords in a “container” locked by a master key that only the user knows. That means all you have to do is create a one really complex password that you can remember. The manager will also help you create unique passwords for new websites or apps.
And many of them have encrypted sync across devices, which lets users take their passwords anywhere, including their phones.
Mackey has a shortlist as well:
- “We need to eliminate bespoke password complexity rules,” he said. “Allow users to enter any Unicode character and look to the complexity of the password and its length as a measure of security.”
- “Allow users to select which password recovery model works best for them rather than offering a single model that was convenient for an engineering team to write. If this is too much work, SSO [single sign-on] solutions abound and abstract away the complexity rules.”
- If SSO is overkill, “then social media token-based authentication is a reasonable proxy, but if you allow for persistent access, you need to be asking if you really are implementing any level of authentication security.”
With the availability of password alternatives, Beisheim is optimistic that the demise of passwords won’t take too much longer. “It won’t happen with a flip of a switch,” he said. “But look at how quickly the consumer change to Touch ID and Face ID as the standard method for login on mobile apps happened.”