Passwords aren’t going anywhere anytime soon, so make sure you have a good one

Years ago, futurists predicted many advances such as flying cars, teleportation, a cure for old age to name a few things that would be available by now.…

Years ago, futurists predicted many advances such as flying cars, teleportation, a cure for old age to name a few things that would be available by now. We’re still waiting.

We’ve seen yet another prediction that did not quite live up to the expectation: no more passwords. I will not argue that we are stuck with passwords and that other identification technologies will not catch up. However, I believe that passwords will have a prominent role in the holistic approach to accessing control and security for years to come, be it as a standalone method or in conjunction with other technologies such as biometrics and tokens. Recently, there have been many new initiatives that have encouraged people to create strong passwords, but most people don’t know why a good password is so important. We’re going to go in-depth into this to find out exactly why we need strong passwords.

It is true that we have made a lot of progress in the field of biometrics, which is essentially the way to verify who you are by using one of your biological or behavioral patterns that we presume to be stable enough throughout your life and hard enough to fake. Fingerprinting has been used long before there were passwords around and today they are one of the main contenders to replace passwords. Fingerprint scanners are affordable and their performance is fast approaching an acceptable level of accuracy. So what is the problem? Why can’t we replace all passwords with fingerprints scanners?

For one, the strongest feature of a fingerprint is also its weakest: you cannot change it. Your fingerprint is great to verify that you are who you say you are, especially if someone is watching while you scan your finger. For example, while you are crossing a border or while a government agent is issuing an ID, an officer will make sure a real person is doing the scan and the algorithm verifies that it matches the person. Your fingerprint impression, which is essentially a picture of your finger or a mathematical representation of it, is anything but secret information. You leave it behind everywhere you go, and once you start using fingerprints as your identity, a large number of systems will have a copy of it, which will be compromised sooner or later. When your password is compromised you can simply change it and get a new one, often without the supervision or help of anyone else. A compromised fingerprint (or any biometric feature), on the other hand, is impossible to change.

Another reason biometrics are not a sufficient replacement for passwords is their accuracy. A password is a binary proposition – you either know it or you don’t. Although biometrics have come a long way, there is always a chance that you could deny entry to someone who deserves it (false negative, FRR) or worse, let someone in who should not be allowed (false positive, FAR).

Biometric devices come with a “CER” number, which indicates the accuracy of the device and where these two numbers (false positives and false negatives) crossover. As small as these numbers are getting these days, they are still larger than zero, which means you don’t want to rely on them if it’s a life or death situation. There is also the added complexity of needing to have access to these physical scanners. You can type your password anywhere, anytime, from pretty much any device. But even with the advancement of mobile devices, we are still a long way from a global standardization of biometrics that will eliminate passwords altogether.

If biometrics cannot, or should not replace passwords, then why do we even need them? The short answer is MFA or Multi-Factor Authentication. MFA is based on the concept of “Defence in Depth” where, rather than trusting one measure to protect your assets, you defend it with at least two unrelated measures. This means that if one fails, you still have the other one(s) providing protection. To visualize “defence in depth”, think of a medieval castle where you have the dugout trench filled with water (and possibly alligators) on the perimeter. You hope that heavily armored enemies won’t make it through. If they do, you have your six-foot thick, 100-foot tall stone walls. There is often another layer of wall inside the castle and, as a last resort, maybe a secret tunnel to bail out if all else fails.

MFA works in a similar way with at least two different types of authentication mechanisms to authenticate someone. Three distinct types of credentials can be used in MFA that rely on something you know (password, personal identification number or a passphrase), something you have (a hard or soft token or a key) and something you are (biometrics unique to you, such as a fingerprint, retina scan, or palm scan). It is important to note, however, that having two separate passwords or authenticating with both your fingerprint and retina scan is not considered MFA. You need to have at least one of each type to have true multi-factor protection.

We talked about “what you know” and “what you are” earlier, which brings us to “what you have”. The most common thing you have to access private information or an object you want to protect is a key. We are all familiar with the basics of a key: for every door, box, car or safe we have a unique key. We carry it in our pockets and use it to open the door, box, or safe when we need it. We also know losing it is not a pleasant experience, especially if you don’t have a spare copy. Thanks to advancements in cryptography, we have a number of mathematical algorithms that work just like physical keys. These algorithms also come with the added benefit of being information-based, which means that they can be copied, backed up, and regenerated much more easily than a physical key. Keys are a closer match to regular passwords, and in my opinion, a better candidate to replace them altogether. There are, however, still reasons why replacing all passwords with keys is not going to happen any time soon.

In terms of security, cryptographic keys and soft/hard tokens are the best option. If designed and implemented properly, they are virtually impossible to break with today’s technology or with any technology in the foreseeable future. Once you have them, they are reasonably easy to use with 100% accuracy, although managing their lifecycle is more complicated than that of a password. The most obvious reason why keys have not yet taken over passwords is the added complexity and cost they bring. The added costs range from slightly more in software-based keys to significantly more in hard token solutions that need to be sent to each user. The real obstacle is the added complexity of their use. People now need to understand what keys are, where they reside, how they are used, and how they need to be kept secure when they are not in use. The fact that standardization has been slow and various competing vendors have been pushing their own technologies to capture a bigger market share has not helped adoption.

Another difficulty with keys and tokens is they are harder to manage. Remembering a password is often easier than remembering where you placed your keys, especially when there are many of them. Sometimes, malware quietly compromises your key or your computer crashes and you could lose your keys altogether. When you forget your password, the process to get a new one is often quite straightforward and self-directed. A key recovery, on the other hand, often involves manual intervention and, if the key is a hard token, an added cost for reprogramming and physically sending the replacement key. Interestingly enough, we use passwords to protect cryptography keys and key stores for added protection. Key recovery also depends on setting and remembering a password. A password is the only protection for a compromised key or token when it is stolen.

To sum up, there are a number of valuable technologies at our disposal today to ensure the security of things we value, be it a sensitive document or our bank account. It is, however, still premature to expect all passwords to be eliminated in the near future. We still rely on them as a simple and scalable way to secure things. Passwords do not only protect our social media posts, bank cards and email accounts, they are also part of many advanced encryption and security systems used in conjunction with keys to defend them against compromise, loss or abuse. In order to strike a good balance between security and convenience, we still need the good old-fashioned password. Once a system is compromised, a good password is often the last line of defense to protect it.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

9 tech leaders’ advice on running a technology organization (part 2)

A compilation of 8 tech leaders’ (+ BlueCat CSO Andrew Wertkin) advice on driving innovation and achieving overall success as a tech organization.

Read more
9 tech leaders’ advice on sustaining business alignment (part 1)

Now that Season 1 of the popular podcast Network Disrupted has wrapped, it’s time to parse insights from the show and share them with you.

Read more
Temporary workaround for SAD DNS

Ahead of Linux’s patch taking effect, BlueCat Labs has a temporary workaround for protecting against the revived Kaminsky DNS cache poisoning attack.

Read more
IT pros debate: Should you DIY your DDI?

Five IT pros get real about DIY vs. enterprise DNS solutions during the second Critical Conversation on Critical Infrastructure hosted in Network VIP.

Read more