Humans are in love with passwords, we just can’t help ourselves. We’ve been having that love affair since humans invented writing, with the first computer password being introduced in 1961 at MIT and we’ve been using them obsessively since. But passwords have become a pain, the love affair is waning and we want a new beau. Finding an alternative is proving difficult. The average Internet user has as many as 17 passwords according to research by The Norwegian Center for Information Security, some say less than this, for example research on consumer passwords by CSID says 46% of American adults have ‘over 5’ passwords, some as many as 20, the point is we use a lot of them.

Finding the right credentials to offer as part of your identity provisioning is a key challenge. Once the identity is issued, it is these credentials that will be both the user’s set of keys and an attack vector: The credentials have to be secure, yet highly usable; a design goal of the system should be ease of transaction, ease of use is the natural bed partner of security, the two should never be looked at as mutually exclusive.

Password is the default credential for consumers. It is an ubiquitous, naturally understood credential that is likely to be around for some time yet, despite calls for its demise. However, it is arguably the least secure of all credential types. To make passwords more secure the idea of password policy has been developed. Password policy sets out rules that ensure that the password strength is strong and other rules which constrain the use of the password, such as when passwords should be changed, etc.

Let’s look at the use of password policy for password strength. The obvious step would be to make a password longer and more complex, for example a mix of capital letters, lower case and alphanumeric. This would mean that brute force attacks would be much more difficult to perform. However, password complexity is offset by a number of forces:

  1. In a Ponemon Institute study in April 2013, they found that up to 70% of people (depending on location) forgot a password if it was long and / or complex. This puts a lot of strain, in terms of online recovery or help desk calls, especially in mass adopted online systems for little security benefit.
  2. In another study by Janrain in 2011, when asked the question if having forgot a password would the person recover it, or leave the site, 90% of respondents stated they would just leave the site.
  3. People write down or share passwords, in a study at Berkeley University, at least 40% of respondents at least sometimes, or often, wrote passwords down

To focus on password policy will take you down a blind alley that will not improve the security of the identity service, but will add issues such as create an increase in help desk calls and create a poor user experience; as Inglesant and Sasse put it,

“this (password policy around reset) does nothing to encourage security awareness, but introduces usability problems which antagonize users”[1]

The main point to remember when thinking about password policy is that password policy will not prevent:

  1. Phishing attacks
  2. Key logging and screen scraping
  3. Attacks on your database

The first two attack vectors are socially engineered; the third is one which has seen massive problems in recent years with databases being hijacked by hackers. You have a number of ways of protecting credentials held within a database, for example:

  1. Salting: Hackers use something called a Rainbow Table, which contains all of the possible combinations of the hashes of common passwords. Once they get gold of a database they can use the Rainbow Table to compare and match hashed passwords. To prevent the use of a Rainbow Table (or at least make its use far less effective) you can ‘salt’ a password. That is you add a unique value for each person to their password and then hash that combination. This is by far the best option, currently, to protect database held credentials from being stolen – it makes the number of combinations so great that the Rainbow Table cannot work effectively.
  2. Slowing Brute Force Attacks: this involves making the hashing process, slow and resource intensive. This in turn makes a brute force attack also resource intensive and very slow. However a solution based on slowing a process down is neither scalable nor practicable and certainly isn’t future proofed as the technology hackers use becomes ever faster. This method is really not suitable for mass adopted online systems.

Instead you must have a much more holistic approach to security – putting all your eggs in the password policy basket only offers false security, you must use it with other protection mechanisms like anti-phishing and state of the art database security. Nevertheless, used in combinations such as these, passwords can be the friend of digital identity because they are so well known and so usable.

Replacing Passwords, But With What?

Alternatives to passwords are being researched and there are mechanisms to help with the now widely felt ‘password fatigue syndrome’. For example you can offer single sign on, or users can opt for password vaults to store their multitude of passwords. The former is currently hardly used within commercial online systems. There is some movement amongst certain governments, such as the UK government’s Verify program, to offer Single Sign On for government services; the technology can handle it, SAML 2.0 has full single sign on and single log out and OpenID Connect, which is in full release now, is based on the concept of single sign on for the wider internet, but there are real commercial and legal barriers to SSO.

Password vaults have other issues, they create a single point of failure and let’s face it are favored more by techies than Joe Blogs.

Finding something that is as acceptable to a user and yet secure is something that the industry has been feverishly pursuing for a while now. Fast Identity Online, or more commonly known as FIDO, is an initiative looking into alternative authentication methods and backed by PayPal, Google, Lenovo and Nok Nok labs. The initiative is looking at ways of using methods such as device authentication or biometrics, as a replacement for passwords, which is both more users friendly, yet retains security. The initiative is working on protocols that achieve this, so far they have based their FIDO ready certification on two cryptographic based protocols, the Universal Authentication Framework (UAF) and the Universals Second factor Framework (U2F) – based on Google’s original U2F protocol. The UAF framework is the one looking to replace passwords with device authentication or biometrics, the U2F protocol supplements passwords with a second factor, thus helping to remove the phishing problem that haunts password use.

Of course the irony is that many of the devices that the protocols utilize are accessible themselves using a password or PIN. Biometrics based devices, such as an iPhone 6 have their own problems too, such as reliability, get a small cut on your finger and you can’t use your fingerprint to login, so it’s back to using your PIN.

Finding an alternative to passwords is one of the industry’s current headaches. It isn’t easily solved. Social federated logins utilizing OAuth 2.0 (or variants of) or OpenID Connect have opened up some doors for replacing passwords using a federated login system (a sort of SSO) but these are crippled by attitudes towards this type of system, security being cited as the issue. There are pros and cons with offering social federated login as an option instead of the usual username / password, One of them being the underlying credentials associated with he social login are managed by the social platform. When that platform is something like PayPal or Amazon, who both offer a federated login API, then it is certainly worth considering.

Ultimately, the replacement of passwords need to bear in mind several pivot points – security, usability privacy and portability.

[1] Inglesant, P, Sasse, M, A; The True Cost of Unusable password Policies: Passwords Use in the Wild, April 2010