Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like biometrics, OTP, mobile, etc., do sound fancy and are touted as cornerstones in future security practices. But fundamentally there is nothing wrong with a password paradigm. Infact, it’s the weakness of individual passwords that leads to a security risk.
In this article, we are going to give you a background to passwords, their philosophical underpinning, and also evaluate the other possible options we have.
Passwords have a long history. They are used to access private accounts, applications, documents, databases, websites and more since long. Even the treasure den in the fabled tale of Ali Baba and the Forty Thieves had a password! The other way to access such secrets was through some body tattoo or possession of a unique seal.
Interestingly, these three ancient methods of verification still do represent the fundamental principles of modern authentication practices:
- What you know — Passwords/PIN
- What you have — Seal/OTP/Credit Card/Tokens
- Who you are — Biometrics/Body tattoos
The combination of these three factors (3FA) is seen to represent an authentication framework for accessing information or doing risky transactions. Take an example of a Credit Card swipe. The card represents “what you have” and the pin represents “what you know”. Combining the two provides greater security than any one method alone. When any two of these are used, it’s called two-factor authentication. More factors imply higher security.
What is often not discussed is which factors are safer in which contexts. Given we are moving into rapid digitization it might be important to discuss the three factors, their types and when should they be used.
Let us trace this movement from password based to other factors and see what maybe a good framework to keep consumers and systems safe.
How passwords work
Passwords are stored in a system as hashes.
A hash is a one-way pseudo-random function, which means that it can produce a random text from a password.
But the random text can’t reproduce the original password.
Let’s take an example of SHA-2 Hash algorithm.When we feed it a password, say “ankit8388”, it produces a random text like “96c32e63d785c77d8de8089523a346210d2299a25c349c518dc8bf0181ff911b”. This hash is now stored in the database and with it the website can authenticate me without ever storing my original password.
(Even when the database is hacked, my password doesn’t get leaked because the original data is never saved in a database.)
How hackers hack passwords
To hack passwords, hackers create pre-created hash tables for all possible password combinations.
For the “ankit8388” password, a hash table of small letters and numbers of length 9 would be able to find a match.
This means the hacker will need to process all the possible permutations and combinations of small letters (26) and numbers (10) for 9 places. In mathematical terms this would be (10+26)⁹ combinations. This is a highly intensive task and a single computer might still take 50 years to do this.
But hackers work together and pool resources, which means 50 hackers with their computers can create such a table in less than a year.
Further, it’s possible that they will find a match at a half-way stage or within 6 months.
The point is this:
A password becomes unsafe when it’s too short and simple to guess or crack.
Alternatively, if a user sets a complex, multi-character long password, there’s a risk the user will keep it noted somewhere (and this note might reach unsafe hands and cause a vulnerability).
So passwords (either too simple or too complex) can be unsafe in their own ways. That said, the other authentication means available, too, aren’t foolproof. Lets get a bit more understanding on other authentication methods.
Why biometrics and OTPs can’t be the foolproof solutions of the future
The two emerging contenders for future digital authentication are biometrics and OTPs.
Biometrics, along with a password, would indeed enhance security by providing a two-factor authentication. But when used alone, it’s not the best bet for the future because it comes with three big problems:
- Unlike passwords, biometric data cannot be stored as a hash. This means that the web application will need to store your biometric data as is. This is a very risky proposition as, in case of a hack, your actual biometric data (or its mathematical representation, in some cases) is revealed. In one of the biggest data breaches in the US, 5.6 million fingerprints of government employees got hacked from the the U.S. POM (Office of Personnel and Management), which gave the hackers access to raw biometric data.
- In case biometric data is ever compromised, there is no resetting like a password. This means, you would forever be prevented from using your biometric authentication during your lifetime.
- Biometric systems are extremely susceptible to spoofing. In spoofing, a stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user. In 2013, Jan Krissler, a famous German hacker spoofed Apple’s Touch ID (iPhone 5S) on the other day of it’s release. He used the smudge on the screen of an iPhone to print a dummy finger using wood glue and sprayable graphene. He then used this print to successfully unlock a phone registered to someone else’s thumb. The same hacker then used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology.
OTP, as an alternate authentication means, has its own set of risks:
An OTP is a one time password consisting of characters, numbers or symbols that’s used to authenticate a user for a single login session. And it becomes invalid after a few seconds.
Take an example of a credit card swipe as I’ve explained earlier. (The card represents “what you have” and the pin represents “what you know”). When you swipe the card you get a code ( an OTP) and you aren’t authenticated until you enter the code and are verified.
So, here two authentication methods are being used for authentication (two factor authentication) which ensures more security. But still they can’t be considered as the best security solution.
- The biggest challenge to the OTP authentication factor comes from trojan software.
Hackers show their victims a browser pop-up box or ad that looks like an authentic message from the bank and prompts the user to download a “security application” or a “mobile banking application” on their phones.
Once a user downloads such fake applications, hackers can easily intercept their SMSes. Which allows the hackers to read the OTPs sent on the mobiles.
Security expert, Brian Krebs, tells how an Android botnet targeting banks in the Middle East could infect more than 2,700 phones and intercept at least 28,000 text messages:
This attack affected customers from various banks including the ones from the Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.
2. SIM swap/cloning: By procuring a duplicate SIM card in a user’s name, hackers can use it to receive communication from the banks (including the OTPs).
3. Social engineering: Hackers also call users claiming to be from the bank. And during the call, they ask for the OTP. Unsuspecting users are usually easy victims to such attacks.
4. SS7 Attacks: Using flaws in Signaling System 7 (SS7) hackers can listen to private phone calls and read text messages of the users. According to a report from German-language newspapers Süddeutsche Zeitung, in a cyber attack in Germany hackers intercepted OTP’s using SS7 flaws and stole customer’s money from their accounts.
As you just saw, all the three authentication factors — passwords, biometrics, and OTPs — have their set of risks. However, passwords stand out because users can exponentially strengthen their passwords (while also keeping them easy to remember). So let’s re-examine passwords and see how we can improve them, and then explore the Password 2.0 approach.
How passwords can be made more secure
As we discussed earlier hackers have been able to pool resources and pre-create hash tables hence making guessing of simple passwords really easy. Then what could be the way to make their life hard? Increase the combinations, of course. And the usual way of doing it has been to increase possible inputs:
- Alphabet (Small letters and caps) — 52
- Numbers — 10
- Special characters — 33
So this gives a total combination of 95 characters. Cracking this is so hard that it would take the same hacker group over 6000 years to hack password in the same way. And at that point, I obviously don’t care (unless AI leads to afterlife; another topic for another blog :))
Therefore, from a security guy’s point of view, all these rules of having multiple combinations is really helpful because it keeps you safe. But at the time of signing up or using a service, this becomes a huge pain and a turn off. Also, it’s an eventual security risk as people keep forgetting such tough passwords and hence often note it down in insecure places, such as desktop files or random pieces of paper.
Introducing Password 2.0 — the Paraphrasing Approach (the security and user-friendly password solution)
Now, there is another way to do this, which seemed to have been neglected until now: the length of the password. I could have achieved a similar tough password by simply having 4 more characters, i.e., a 13-letter-long password, without any restriction on small letters, caps, numbers, special characters, etc.
This new paradigm is what I call Password 2.0: the passphrase approach. It’s easy to remember a passphrase, such as “thisisacoolpassphraseforthiswebsite”. Such passphrases can provide a better user experience at the time of signing up and also during authentication.
Also, at its length (35 characters), hash tables will be almost impossible to compute. Thus we can build passwords that are convenient yet secure.
Why passwords are crucial
One principle that has to be accepted in a security paradigm is — you will get hacked. This principle is important to remember when choosing one or a combination of the three authentication factors (passwords, biometric or an OTP).
The property of biometrics in this context is really risky. As biometrics can never be changed, once hacked they become vulnerable for that person for their lifetime. So in a biometric auth world, over time more and more people would get vulnerable. Thus you would inevitably reach a stage where, for a certain population, biometric will not be a valid authentication mechanism.
Mobile phones, or number can also not be changed very frequently or easily and hence make changing of the auth factor difficult.
Unlike biometrics and mobile numbers (or handsets), passwords can be changed if they get hacked. That too quite easily. Hence they have no permanent vulnerability. Another great property they have is the ability to protect the actual password at each authentication. This paradigm is akin to knowing a secret that you will never reveal but are able to prove you know it.
So while biometric and OTP authentication breaches leave their users vulnerable (for life), passwords breaches always give the users a way to “reset”. Because of their simplicity and cryptographic beauty, passwords will continue to dominate as the higher security layer. And when you add an additional layer of authentication to a password (like biometric or an OTP), you can probably design a more secure system. (In a further article we will go through the best combination given a business use-case)
The password 2.0 approach — of creating complex but easy-to-remember “secret-style” passwords — can be a useful tool in such a scenario where the password is a mainstay in the security authentication mix. So, start thinking of a secure passphrase because in a modern digital world, “a strong secret” will be worth more than any other assets you own.
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Visit www.signzy.com for more information about us.
You can reach out to our team at firstname.lastname@example.org
Written by an insightful Signzian intent on learning and sharing knowledge.