Passwords Fail to Secure Accounts

I can't remember the first time I ever had to use a password.  Logic suggests it was probably when I was 15 and opened my first debit card linked checking account.  The PIN number was effectively a password, albeit a very short and easily guessable (by a computer) password.  It was the early 90's, and it was the only password I needed to remember, so all was well in my world of security.

Password System Breakdown

Fast forward to today, however, and the situation has changed significantly.  The average Internet user has 25 separate accounts at various sites.  The sheer number of passwords we need to manage in the modern world prevents us from following best password practices.  That same average user only has 6 or 7 different passwords, meaning that a significant amount of re-use is going on.  In addition, it is extremely difficult to remember even a few different passwords when strong passwords are used.  This creates an incentive to bend the rules by using shorter or easier to guess passwords.  The combination of these two effects has caused a near complete failure in the password system of authentication.  If any of the companies running the sites you use has a lax security policy, all of the sites you use that password on can be compromised.

Matters are made worse by the fact that so many companies have had security breaches that the criminals trying to gain access to your information have gathered quite a bit of information about the password choices we make.  PrivacyRights.org reports that since 2005, there have been 3,358 reported breaches, exposing over half a billion records to prying eyes.  Using a few common sense rules and applying the information already stolen to the process, large numbers of accounts and passwords are able to be deciphered more quickly than ever before.  The June breach of LinkedIn.com exposed 6.5 million account usernames, along with scrambled passwords.  Within 6 days, 90% of those passwords had been unscrambled, giving the attackers full access to all of those accounts.

New Methods Provide Security

So now that the bad guys have a way to guess our passwords quickly and easily, what can be done?  There are a few approaches that have been taken.  If you have the convenience of a computer entering in the passwords instead of people doing it directly, a common method is to use huge passwords.  Rather than the 8 - 16 character passwords that are suitable for human entry, a password consisting of hundreds of characters is used instead, effectively making them impossible for a computer to guess.  As time goes on and computers become more powerful, this method will require longer and longer passwords to remain effective.

The most tried and true method to give this level of security to human entered passwords is called two-factor authentication.  This is the method still used by our ATM cards today.  The ID is split into two different parts which are unlikely to be obtained at once.  You have your PIN (something you know) and the physical (something you have) ATM card.  If a hacker in Nigeria knows your PIN, they still need the card.  If a mugger in the park gets your card, they still need the PIN. 

Many banks and other large corporations have been using fancy cryptographic technology for years to provide employees with a keychain device that displays a set of numbers that change every minute.  Their servers require the employee or customer to have not only their password, but also the number displayed on the device the minute they log in.  Even if someone watches them enter their password, those credentials are useless within 60 seconds.  Modern inexpensive alternatives are already in place for many websites.  Both Google and Facebook now support two-factor authentication using your cell phone as the "something you have" half of the equation.  A simple text message or app will give you the code you need to use, and that code expires quickly preventing anyone else from using it in the future.

Help for Small Companies and Sites

For many small sites and companies, the task of securely managing passwords can be a huge burden.  The potential liability in the event of a security breach makes managing the data even more costly.  The staff and infrastructure to simply identify users in a safe and secure manner costs more than most businesses can bear.  The irresponsible decision that many sites make is to simply do the best they can with the resources available.  The responsible alternative is, rather suprisingly, to pass the buck.  By relying on larger companies that have already put forth the infrastructure costs to create a secure system, smaller sites are able to avoid reinventing the wheel, while at the same time protecting their users information by not handling it at all.

The technology is called federated login.  You have probably seen it in use already on the Internet- and even here on Patch.  That "Login with Facebook" button uses the authentication systems put in place by facebook (including two-factor authentication, if you choose) to provide your identity to Patch, rather than Patch having to keep that sensitive data under its purview.

Federated login gives you all the convenience of a single password, which can be changed across all sites that use it.  While the ability for a single password compromise to affect a large number of sites still exists, you at least have a single place to go if you are compromised.  The truely identifying information that you can use to recover your account if compromised only needs to be given to that single site.  This prevents you from needing to provide your birthday, mothers maiden name, and cell phone number to every site you want to interact with- even further guarding your privacy.

Things You Can Do

It is a good idea for everyone to do a quick self-audit on security from time to time.  Like all technology, the sites you visit are constantly changing, and may provide new, more secure methods of storing (or not storing) your information.  If a more secure option is available, you will have the opportunity to take advantage of it.

The layman's order of ID methods you should choose, listed from most secure to least secure is listed below:

1.  Login using a site you already have an account at.

2.  Login using a password + a physical device in your possession.

3.  Login using a password greater than 16 characters, including symbols, numbers, capital and lowercase.  Avoid using words or names.

4.  Login using shorter passwords, keeping in mind the guidelines of #3.

If you do need to use a password, also keep the following points in mind:

1.  Changing "password" to "p4ssw0rd" or other type of mangling are commonly known tricks that provide little extra security.

2.  Using a year for the numerical portion of the password actually makes it easier to guess.

3.  Capitalizing words in the password doesn't slow anybody down either.

4.  Keyboard area combinations like "qwerty" , "asdf" , or "rfvbgtyhn" are already at the top of password guessing lists.  (You may have to type those out to figure out what I mean.)

5.  Writing down a password, e-mailing a password, or otherwise "saving" it on your computer or in your web browser can also leave you open to attack.

With more of our identities being moved online each day, providing a secure method of establishing our indentity also becomes more important.