How Strong Is Your Password?
The security industry has been harping on the strength of user passwords forever. How many times have you tried to set a password just to find out that it is missing this or that, a capital letter here, a number there? We are now moving into the territory of some regulations wanting 16 character passwords! And yet, compromised credentials are squarely in the second place of the breach cause list, right after social engineering/malware combo. How is that possible? Here are some thoughts on this subject.
A little theory first – currently there are three major ways to authenticate a human. In simple terms, it can be something we know (password, PIN, SSN), something we have (token, phone), or something we are (it’s kind of have, but body part related – retina, fingerprint, etc.). The first one is by far the easiest to implement, and so the passwords and PINs have been the ways we authenticate to everything, and biometrics was mostly relegated to Mission Impossible type of data.
A true multi-factor authentication (MFA) will require at least two mechanisms from different methods (factors), for example a secret keyword combined with a fingerprint scan. Combining two mechanisms that use the same factor is not technically MFA, like, for example, asking for your mother’s maiden name in addition to a password. It does offer better security, but not the same level as true MFA.
So why are we seeing the ever-increasing password complexity requirements? There are several reasons for this, all related to the inherent weaknesses of a password.
- The passwords are static, at least for some period of time, so they are susceptible to snooping.
- Memorable passwords usually are more susceptible to a dictionary attack
- With larger and larger Internet presence, we are more likely to reuse passwords, making them more vulnerable.
The industry recognized the weaknesses associated with password authentication a while ago, and one of the first real MFA solutions were RSA authentication tokens. This was a small self-contained device that gave out 6-digit numbers using a sequence algorithm known only to RSA. Add a user-selected PIN to it, and voila, you have true MFA. This was a great solution, but it was way too cumbersome and pricy to become mainstream, so it stayed mostly in the banking industry.
Digital certificates were another great attempt at better security. They are sort of a cross between a know and have, but the security they offered was far superior to passwords because they were not vulnerable to the same problems. Their major downfall was a lack of a centralized mechanism for their management. Public Key Infrastructure (PKI) was a complex and hard to implement attempt that ultimately failed to replace passwords.
Fast forwards a few years, and we have a game changing event for the majority of the computing industry – enter Apple iPhone. That event ultimately assured that most of us now carry a very capable, network connected device, pretty much at all times. This proved an excellent solution for the authentication problem – it is a lot like a token that we have, at no additional cost! In the past few years many companies jumped on the bandwagon of creating an ‘app for that’ and now there are several MFA players on the market that offer smartphone-based authentication solutions that are supported by many web sites and applications, and either for free or at a reasonable cost.
Now is a great time to get more secure! Stay tuned to my next blog in which I will share some information on how to set up and use MFA with your mobile device.