Passwords are becoming more vulnerable over time

xkcd 538

The problem

It seems like every week brings a new story about stolen passwords and hacked accounts. This week Twitter locked two million accounts after a password leak was detected, and more indicative, Mark Zuckerberg had his Twitter and Pinterest accounts hacked. All of these have accelerated concerns that passwords are not a resilient enough method of security, their nature making the problems snowball with time.

One of the problems with passwords is that they represent a trade-off between convenience and security, and convenience will always win. Every new hacking incident produces a list of insecure passwords that evidences just how people are lazy when setting their passwords. Take the list of hacked passwords from Linkedin:

Dr Andres Guadamuz

Most leaked password lists seem to bear a similarity to the above, which serves as a depressing reminder of the state of people’s password management practices. This after decades of relentless campaigns to get us to create more secure credentials, including password checkers at login, and sometimes requirements to constantly change identification.

The problem is quite simply that as our lives are lived online, the number of passwords that we have to manage grows considerably, so the temptation to be lax increases as well. Remembering passwords become a real problem, so people end up coming up with similar key words for different services, with surveys indicating that a staggering 55% of people may use the same password for most services. This is great news for malicious hackers, as the number of leaked passwords increases, there is a good chance that a leaked credential is still in use in another service by those affected. Hence the claim that the problem is only getting worse, each leak puts more people in danger.

But the problem does not stop there. Each dump provides more data for password crackers, as this excellent article by Jeremi Gosney explains. The problem is that every new leak helps cracking tools become better, he explains:

“We crack the passwords so that we can learn about passwords which helps us to crack more passwords, which we can then analyze and use to crack more passwords. We start off with a small amount of data that enables us to crack a small number of passwords. Those passwords then give us some insight into how passwords are created, which enables us to crack more in the future.”

So your credentials become less secure as time goes by, even if they are relatively secure, which sends us into the death spiral of the common password.

Solutions?

There are solutions, in an ideal world everyone would have a different secure password for every single one of their services, but such expectation is very hard to achieve, even people who try to do the right thing and created secure identification can easily forget them, and it becomes confusing, so you may end up having a yellow post-it note on your computer with your password, or you have to write them down somewhere.

A few of years ago my Skype account was hacked, and I ended up having to seriously review my password security practices. I now use a password manager, this is software that will keep all your passwords in one place and will help you generate and remember secure credentials. If you are serious about your online security, this is the best solution at the moment. Gosney explains:

“The average person has at least 26 online accounts; IT professionals usually have hundreds. It is absolutely crucial that you employ a good password manager and let your password manager generate a new random password for each of your accounts. And when you do catch wind of a site or service being compromised, always change your password immediately—even if you do not receive an e-mail from the service instructing you to do so.”

But even with a password manager, you really need to identify the most vital accounts, and protect them accordingly. The most important accounts, such as your bank and your emails, should have the strongest possible level of protection. And yes, email is as important as your bank because someone gaining access to your email account will possibly be able to request password changes to almost anything else. I highly recommend having two-factor authentication with your main email provider if possible, in my case this is Google. This can be cumbersome at times, bur the peace of mind is worth it. Interestingly, I became to appreciate two-factor authentication through online gaming.

The next tier of accounts may vary for you, but for me it is any electronic commerce service that may have my card on record; these sites have strong unique passwords. The third level is social media and blogs, most of these have strong generated passwords, or strong unique mnemonic passwords.

Then things start getting less secure, there are lots of sites that I really do not care if my password is compromised, so I tend to be considerably more lax, often even repeating a very insecure password I have used for years. These sites include one-off visits, forums, and any place where I assume that the password will eventually leak.

But all of the above only serves to stress the point that passwords are problematic.

Alternatives

There is growing recognition that passwords have had their day, and that we must look at more resilient and smart ways to manage user authentication. Google has announced that it will be looking into password alternatives in Android phones using something called Trust API, which will measure all manners of how you use your phone, as well as some biometric data such as voice and face recognition.

So the main proposal is to use phones to replace passwords, either to require their presence for any transaction, or by the use of biometrics. The Wall Street Journal explains:

“Smartphones make a handy substitute. Like passwords, individual mobile devices are ubiquitous, unique and intensely personal. Unlike passwords, they’re difficult to duplicate—and hackers can’t sell copies of them to all comers in underground forums.”

Another important element could be geolocation. If you are where you are supposed to be, then it is likely that you are who you say you are. This is still problematic, but presents viable options, perhaps when coupled with some other authentication element.

A proposal that I like, and which mirrors my own approach to passwords, is risk-based authentication. This is a system that applies “varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised.” So, access to a computer to print a document from your office would produce very low risk, but access from remote locations would be considerably more risky.

Concluding

The situation is getting serious enough that we really need to move away from passwords as soon as possible. This will require changes, but with a rise in biometric capabilities in mobile phones, things might be already moving away from clunky password authentication. On the meantime, stay safe.

If anyone wants to join a password manager, here is the one I use.

Comments 1

  1. Hey Andres
    The big question the next few years face is whether the password will survive or if it will be replaced by user-friendly techniques like biometrics based identification or a smartphone based OTP. But the password divorce is all about the future. Today, we are still living with our passwords and have no option but to remember them and use them. In such cases Single Sign-On works great at curing password problems for businesses with multiple web properties and applications.
    Alex Pastore

Leave a Reply