Password
The most used means of authentication to most digital services or devices is via a password. A password is used to assure a system or service that the person in question (claimant) is whom it truly claims to be. Authentication is verifying a piece of secret (password) that is associated with an entity at that point in time that the entity wants to access a service. A password could be digits, a combination of numbers and alphabets or even special characters and could be as long as desirable by the entity.
The Problem
The problem lies in the technology, process and the users (entity). The technology (services and systems) that use passwords to authenticate an entity MUST store the password to be able to compare it with the one provided by the entity at the point of authentication. If the password is not stored then there’s no way the technology could know that the entity is who it claims to be. All the possible ways that the technology could store the password are vulnerable – all could be broken, it’s just a matter of time:
- If the password is stored in plaintext, then it’s as good as no password as anyone that has access to the technology automatically has access to the password. An attacker has 3 possible ways of getting the password: compromise the technology , social engineer the user or brute force the password.
- If the password is encrypted it brings another problem of where to keep the encryption key, as the password MUST be decrypted to authenticate the user. An attacker now has 5 possible ways of getting the password : Steal the encryption key, compromise the technology (exploit vulnerabilities in the system), steal the password when it’s decrypted to authenticate users, social engineer the user or brute force the password.
- If the password is hashed and only the hash is stored, an attacker still has more than 3 possible ways of getting the password: exploit vulnerabilities in the system, social engineer the user or brute force the password.
The last seems to be the best and most secure way of handling passwords but the process and the user are still vulnerable.
An attacker has 3 possible ways of getting a password: compromise the technology , social engineer the user or brute force the password.
The Process and Technology
The process has to do with the mechanism of authentication with a password. A vulnerable process could help an attacker to bypass password-based authentication. The technology must have a way to reset a password when the user forgets it. In most cases, this reset method also relies on another password which the service whose password is to be reset has no control over. For example, most service providers rely on the user’s email address or phone number to reset the user’s password. The service provider in question cannot control or determine the password rules to be enforced by the email provider. This means that the actual security of the service depends on the security of the email address and not on the service provider. Also, passwords could be harvested by an attacker from various means which the service provider that relies on the password has no control over or cannot mitigate. For instance, a service provider cannot mitigate or prevent an attacker from social engineering a user or even using malware to get their password.
A service provider cannot mitigate or prevent an attacker from social engineering a user or even using malware to get their password.
The User
Let’s assume that the technology and process are good and secure then what about the weakest link – the user. The technology and processes rely on the user to be effective but the user on which they rely is the weakest among them all. Even if the technology and the process enforces the user to choose a good password and keep all the necessary rules, they cannot determine if the user actually complies with the rules. For example, an online service provider that enforces a strong password and stores them securely cannot determine or prevent the user from using the exact password on another service (password reuse). The service provider cannot prevent or determine if the user wrote the password somewhere or even shared it with another person. The only thing that the service provider (technology and process) could do is to ensure that the user chooses a certain type of password maybe the length and characters combinations but cannot enforce where and how the user uses the same password.
An online service provider that enforces a strong password cannot determine or prevent the user from using the exact password on another service. It can only ensure that the user choose a certain type of password.
According to Verizon’s 2017 Data Breach Investigations report, “81 percent of hacking-related data breaches involve weak or stolen passwords”
In Conclusion
The earlier you migrate to Passwordless authentication, the better and faster your business and online identity would be rescued from catastrophic breaches.