Laziness, carelessness, stupidity, ignorance, naiveté — what do all these have in common? They’re all reasons passwords don’t work and also the reasons we’re still using passwords. People and corporations, small businesses and government agencies, by and large everyone is too lazy to do what’s right when it comes to passwords because what’s right is a pain in the ass. Of course, getting hacked is much, much worse, but that’s where naiveté factors in — it won’t happen to me.
On Internet discussion boards like Fark and Reddit — places where pop culture knows no expiration date — anytime a thread about password security comes up, you’ll invariably encounter this quote uttered by Spaceballs antagonist Dark Helmet:
“So the combination is ... one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!”
Luggage in the ’80s, email accounts today. Actually, it’s somewhat unlikely to have 12345 as your password if only because most applications require six or more characters, which is why annual lists of the worst passwords almost always include 123456 in the top 10.
Passwords have been used by humans for millennia; they’re part of our shared culture. But that’s not the only reason we cling to them. We also like them because they’re simple and they’re free — for manufacturers and consumers.
“I think passwords are a part of the culture for most enterprises because they are well understood, easy to use and built in by default,” said Dan Lohrmann, Michigan’s chief security officer. “Other security options often cost more or add complexity. There is an old saying in technology: ‘Whoever writes the draft first wins.’ I think that saying applies to the use of traditional PC passwords.”
The first draft was written when Julius Caesar invented the Caesar cipher, one of the earliest known forms of encryption. Or more than likely, someone a thousand years before Caesar came up with his own method of authentication. The point is that humans are hardwired for authentication and passwords are the easiest, cheapest, fastest solution.
There are a host of wannabe usurpers to the password’s reign. But can any lead the revolution?
Have you ever logged into Facebook from someone else’s computer? If so, you probably had to enter your password and then complete one or more security verifications such as identifying someone in one of your photos or providing the secret answer to a previously agreed-upon question.
Or say you can’t remember your password. PayPal, for example, will call you at the phone number on file and give you a code you must then enter in order to gain restricted access to your account — enough to begin the password recovery process.
These are examples of two-factor authentication. Two-factor authentication is becoming the norm for password security in what amounts to a concession from users to information security officers pleading with them to follow basic password security protocols. Since almost no one follows those protocols, two-factor authentication has become the stop-gap.
Two-factor authentication means simply that authentication requires two means of identification. The current standard is that two of the following three factors must be authenticated:
- something the user knows, such as a password;
- something the user has, such as a mobile phone; or
- something the user is, such as a fingerprint.
“In the past, a lot of the efforts in this area were to find a replacement for passwords,” said Nishant Kaushik, a security blogger and chief architect at identity management firm Identropy. “It was recognized that passwords are bad, but biometrics and other mechanisms were never a good replacement because they all suffered their own flaws, and could not counteract the biggest thing passwords have going for them: They are cheap and convenient. What we are seeing today is a growing movement away from explicit, point-in-time authentication to a recognition model that mixes implicit factors — like device recognition, geolocation and behavioral analytics — with explicit challenges such as passwords, biometrics, OTPs [one-time passwords] and dynamic KBA [knowledge-based authentication] based on identity verification services.”
But Kaushik and other experts know these solutions won’t provide complete security. In fact, they’re not even designed to.
“The core idea is to enable a risk-based model where these factors can be combined in various ways continuously throughout the user’s interaction with an application environment so as to provide continued assurance regarding the identity of the user,” Kaushik said.
Two-factor authentication is a risk-based model. In other words, there’s a level of acceptable loss that people and organizations are willing to take in exchange for somewhat better security with minimally increased complexity.
Not all two-factor authentications are equal, either. Consider how much of your personal data is online, probably mostly on Facebook and maybe LinkedIn. For many users, a quick click on an “about” tab will reveal plenty of information that will defeat simple authentication schemes — things like an email address, date of birth, hometown, current town, spouse’s name and best friend’s name.
“Two-factor authentication appears to be the current norm for applications that are considered more secure,” said Timothy Maliyil, CEO of AlertBoot, a cloud-based data and mobile security company. “Two-factor authentication is nothing new, but using a device such as your cellphone via SMS or an automated call is getting more traction. The belief is that a thief is unlikely to have both your password and your cellphone, so sending a one-time authentication passcode to your mobile phone via voice or SMS text message creates that second factor of authentication.”
But say your mobile phone is stolen and a hacking-minded crook wants to get into your email as well. For the crook, it could be as easy as clicking on “forgot your password?” and plugging in the details you already posted online. If the system uses true two-factor authentication, it might send a code to your mobile phone, which the crook has. If the system merely asks a verification question like where you were born, you could find yourself in a world of hurt in mere minutes.
Biometrics and Beyond
For anyone who has ever watched any science fiction or high-stakes techno-thriller, you know there’s a better solution: biometrics. Fingerprints, retina scans, voice recognition — so why aren’t biometrics replacing passwords? Well, they are, sort of. You probably have a fingerprint scanner on your laptop if it’s relatively new. HP, Dell and others have included facial recognition in their laptops for a while now. But the reality is even if you do have these features, you probably don’t use them. And for those who don’t have biometric devices built into their equipment, the expense and hassle usually don’t justify the results.
Theodore Claypoole is a senior partner at the tech law firm Womble Carlyle and heads its Intellectual Property Practice Group. Claypoole also is co-author of the book Protecting Your Internet Identity: Are You Naked Online? He said biometrics don’t cut the mustard with most Americans for the same reason passwords still do — convenience.
“Protection of consumer transactions tends to be ‘good enough’ two- or three-factor authentication, rather than high-level intense biometric-based multi-factor authentication,” Claypoole explained. “The current magnetic striped card system has worked relatively well for 40 years now, and consumers have not pushed for additional security.”
Claypoole points to a series of reasons why biometric authentication largely hasn’t caught on. “First, changing the entire system would be expensive for everyone, and is therefore resisted by consumers, retailers, banks, processors and the card companies,” he said. “Second, a smarter, more protective system would not be so substantially better than the current operating system that it would be worth the change. Third, tests have demonstrated that American consumers have absolutely no tolerance for hassles and headaches in line at retail stores, especially due to false negatives in biometric security. No one wants to be told that their thumb is not registering as the correct thumb, especially in line at the grocery store with shoppers filling the lane behind you.”
If not biometrics, then what — what will free us from our dependency on passwords? As more devices are of the touchscreen or even motion-sensing variety, most expect to see innovative physical (touch) or gesture-based solutions start to replace the typed-in password.
Windows 8 made headlines with its picture password feature wherein a user preselects a photo from his or her library and assigns shape drawings and/or taps for authentication. A company called PixelPin offers something similar that has a user making four specific taps on a chosen photo.
Google and others seem to be leaning toward a USB security device that companies like Yubico, which Google is rumored to be partnering with, are developing. In fact, Google Vice President of Security Engineering Eric Grosse and Principal Engineer Mayank Upadhyay told IEEE’s Security and Privacy magazine earlier this year that they have something up their sleeve.
“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large-scale acceptance, we’re eager to test it with other websites. ... We’d like your smartphone or smart-card-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity.”
Yubico is fairly well known for its flagship product, the YubiKey, a one-time password device that works on any computer or phone with a USB port. Yubico CEO Stina Ehrensvärd said the company is pursuing affordable hardware authentication.
“The best security practice is to combine a hardware security token with something you know, but this can be a simple four-digit PIN, as used with an ATM,” Ehrensvärd said. “Software-based authentication, including SMS and mobile apps and Google authenticator, offers better security than username/password, but are exposed to mobile malware and are no longer accepted for high-security applications. LCD one-time password hardware tokens offer better security, but are clunky and often fail due to battery problems. Smart cards are costly to integrate, requiring readers, client software and a complex back-end infrastructure. However, as smart cards have proven to offer the best protection for a new generation of malware, Yubico is part of an open standards initiative, removing the cost and complexity for this technology to scale to the mass consumer market.”
In January, Wired reported that Google’s Grosse and Upadhyay are piloting a project that uses a Yubico YubiKey and user authentication ring — literally a ring a user wears and taps on the YubiKey for seamless authentication. But even that might not be enough.
“One of the main limitations of the otherwise-wonderful YubiKey is that it requires someone to have access to a functioning USB port,” said Clay Calvert, director of cybersecurity for IT consultant MetroStar Systems. “For smartphones and tablets — not to mention many public computers — this is not an option. Google also is working on a ring (again, the kind you wear on your finger), which will have functionality similar to a smartcard. These rings can act like proximity cards, like the ones that many of us use to unlock electronically locked doors, and also similar to electronic passes used on toll roads.”
Calvert said ring “readers” could be built into many modern smartphones using a technology called Near Field Communications (NFC). NFC chips are becoming more common in portable devices and could be included in regular computer input devices in the future. “So in theory, one could log in to a system just by putting your hand on the keyboard or mouse,” he said. “The same technology could be used to log into Web pages and other network resources, thus greatly reducing the need for passwords.”
The primary holdup for this method, like so many would-be password replacements before it, is getting website and user buy-in. Groups like the FIDO (Fast IDentity Online) Alliance, which formed last year, aim to help establish standards and interoperability for authentication devices in an effort to provide a workaround for those who hem and haw.
“FIDO takes a unique approach with an open protocol that applies to the existing field of authentication products, methods and standards, making them compatible now and adaptable to future innovations and generations of technologies and products,” said FIDO spokeswoman Suzanne Matick.
Whether it’s FIDO, Yubico, Google or someone else working to replace passwords, will it ever be enough to convince people to switch?
Claypoole said it’s not about providing a better solution. Rather, the security measures we use today — passwords, for the most part — reflect our risk tolerance and desire for simplicity.
“Appropriate security depends on how valuable your transaction is and what other protections are available,” he said. “You can spend millions of dollars on security systems and still never be truly secure, because every transaction and safe-keeping system has flaws, usually at the human level.”
And it’s at the human level where change needs to occur. The technology is already out there.