Lentis/password1234: Internet Security and Password Culture
- 1 Background
- 2 Password Culture
- 3 Future of User Authentication
- 4 Conclusion
- 5 References
Passwords are a common method of user authentication that allows an individual exclusive access to a resource. The most common form passwords take is a string of alphanumeric characters, usually between 8 and 12, and may include special symbols such as the pound sign (#) or asterisk (*).
Before the digital age, passwords were used in ancient Egypt to encrypt tombs and valuable artifacts. When Egyptians died, they were buried with the Book of the Dead, which held the chants or passwords that would call on the gods to help the deceased overcome all of the obstacles that confront a person in the afterlife.
The first digital password can be traced back to the MIT Compatible Time-Sharing System (CTSS). The CTSS was unique in that it allowed multiple users to utilize the processing power of the IBM 7094 mainframe. The CTSS was also known as the first "breach," where Allan Scherr, a graduate student at the time, exploited a feature of the CTSS to grant him longer access time to computational resources.
Development of authentication
While user authentication has existed since the early days of computers, the manner of authentication has not changed much. Some developments in password security include the use of:
- Security question(s)
- Ex. "What is your mother's maiden name?"
- Ex. Issuing multiple passwords that each have a single identifier, such as p1=pv4OAFx1Q2cQ, p2=DsYfX3Ke.
- Two-Factor Authentication
- Ex. Requiring a bank card and a memorized PIN.
- Zero-knowledge proofs
A Notable Encryption Breach
Heartbleed (April 2014)
Passwords were implemented as a safeguard against unauthorized access to an individual's resources. In order to be effective, passwords need to be complex, difficult to guess, and updated regularly. For the authentic user, however, passwords can be inconvenient. By requiring additional steps to be taken before he/she can get to the task they wish to do, authentication becomes a burden and may result in the user compromising their security for convenience.
When an individual creates a password, they usually follow certain established guidelines. The most common guideline is the password length, which is typically at least 8 characters. The user is encouraged to add complexity by using a variety of different characters such as lower and upper-case letters, numbers, and symbols. To prevent others from guessing their password, users are advised to not use personal information.
The difficulties arise when the guidelines become too restrictive. Some sites require that passwords contain at least one number or symbol, but others forbid them, adding confusion. For example, AT&T does not allow symbols other than the hyphen (-) or underscore (_). Most of these constraints stem from legacy software systems that handled passwords differently and could not process some special characters. This service-side burden is transferred to the user.
Users must consider several factors when creating and remembering their password. The password needs to be complicated enough such that it cannot be compromised by a determined intruder, but not too complicated that the user cannot remember it. This poses a unique challenge, and password psychology examines this intersection of technical security and social constraints. Passwords need to balance the resistance to unauthorized access with the ease of memorization for the user.
The most common issue with passwords is the memory load placed on users. Random strings of letters, numbers, and symbols are effective against brute-force attacks that use dictionaries, but they create passwords that are difficult to memorize. Security experts are starting to understand this challenge and are modifying guidelines accordingly. Although they are encouraged not to use personal information, some sites suggest that common, random words with symbols substituting some of the letters can make strong passwords. The common word aids in the memorization while the symbol substitution adds complexity.
A recurring result of a password that is too complicated is a user forgetting it, causing sites to implement a "Forgot your password" component into their login sections. Retrieval is yet another obstacle users must overcome and compounds the frustration that already comes from forgetting. One way to mitigate this is to change passwords frequently, reducing the likelihood of forgetting, especially for infrequently accessed sites.
Simplification and Reuse of Passwords
Users can take different approaches in order to cope with the memory load. For workstation logins, users sometimes write down their password and stick it to their machine. Some people use a single password for multiple sites, meaning that if one site is compromised, the user's other accounts are also at risk. However, sometimes password reuse is acceptable, so long as the reused passwords are for low-risk accounts, so that effort can be focused on securing high-risk accounts.
Future of User Authentication
Many of the current advancements in authentication technology are along the line of simplification of the authentication process for users. Many aim to reduce the complexity of password culture by making passwords easier to use or remember. Password consolidators like LastPass, OAuth systems implemented by companies like Google, and physical password alternatives like the Yubikey are all attempts by industry at making passwords less of a problem for consumers.
Password managers use software to store all the passwords a user has as a database, which is then stored either locally or in the cloud. Once a password has been added to the database, a user just needs to tell the software to retrieve it, allowing the user to have a long, complicated password that normally could not be memorized. The service allows users to use different passwords for each account, eliminating the dangers of password reuse. To add an extra layer of security, accessing the database typically requires the user to input a password, meaning the user would ideally need to memorize only a single password to be able to log in to all of their various accounts.
The negatives of password managers is that many managers store data in the cloud, meaning there is a risk that the database could be compromised and all your passwords could be available. Additionally, if a user creates several long, complicated passwords, it becomes nearly impossible to log into most of your accounts without direct access to your database software, meaning you would need internet access and would only be able to log in on your own devices.
Key examples of password consolidation software include:
- LastPass: Cross-Platform, cloud-saved password database, accessible through a web interface or various aps and plugins depending on the device.
- KeePass: Cross-Platform (not available on mobile devices), locally-stored password database
- Dashlane: Cross-Platform, cloud-saved (optional) password database
OAuth is a system through which websites can permit users to log in using different services, most notably Google or Facebook. Users log into the service they wish to use, and this service then provides the new website with the requested information, eliminating the need for the user to make a separate account. These systems are generally offered by larger companies with many users and high security, giving users an extra sense of safety by never having to make new accounts on less-secure websites.
The most notable negative side-effect of this system is that, if your primary account is compromised, that user then has access to other websites where you may keep information, or they can use this system to impersonate you on other websites.
The most notable companies that offer OAuth systems for their users include:
- Windows Live
There are two major types of alternatives covered in this chapter, biometric and physical hardware alternatives. Biometric password alternatives are more sophisticated, but are technically more difficult to implement, while physical hardware alternatives use a device that must be carried at all times.
Biometric alternatives use biological properties to authenticate a user on various sites. In many cases, these properties include something like a fingerprint or iris scan, which are considered to be unique for each person. While iris scanning is not used for many commercially available products, fingerprint scanners can now be found in phones and are used as an extra layer of security. Some more unique approaches to biometric security include the Nymi, a bracelet that claims to read a user's cardiac rhythm in order to identify them.
Physical security keys
Physical hardware alternatives are devices that the user carries with them that typically create single-use passwords that cannot be guessed. A popular example is the Yubikey by Yubico, a USB stick that the user inserts which then generates a password.
The key negative aspect of physical hardware alternatives is that users must keep the device with them in order to log in, and if the device is stolen, then the thief would have access to all of the user's accounts that use that device for authentication. Biometric identification is typically more secure, but is more difficult to implement from the provider's end, and can be overly sensitive or easily tricked, depending on the level of specificity set by the creators. Compared to password managers and OAuth, password alternatives are the least-developed of the three, but theoretically provide the greatest security in comparison, as there is technically no "password" that can be guessed or compromised, only a physical device, which is much easier to protect.
Some groups propose a combination of passwords, biometric, and physical security systems, so that the loss of a single system does not constitute a full security breach. An example of this is two-factor authentication. Used by Google in the form of Google Authenticator, a system generates passwords when requested by the user, and the password is only able to be acquired on a separate device, typically a smartphone, and will only work for a short period of time (typically within one minute). This is usually combined with a standard password, giving it a combination of password-based security and a physical alternative.
What can be seen by modern password selection patterns is that people generally prefer convenience over security and will choose that path if offered. The groups and companies creating alternatives to the password recognize this, and attempt to make the password systems that exist today more convenient for use, or attempt to replace this system with a more convenient system. All of these adjustments and changes to the status quo are driven in towards a goal of "convenient security," in which keeping yourself secure online requires little effort thanks to the systems in place.
- Oxford Encyclopedia of African Thought
- Windows: Tips for creating strong passwords and passphrases. http://windows.microsoft.com/en-us/windows7/tips-for-creating-strong-passwords-and-passphrases
- AT&T: Password Tips and Requirements. https://www.att.com/OLAM_PROD_CMS/English/staticContent/html/help_passwd_restrictions_cms.html
- Stack Exchange, Security: http://security.stackexchange.com/questions/1534/why-do-some-websites-and-programs-restrict-password-characteristics
- [Google: Creating a strong password. https://support.google.com/accounts/answer/32040?hl=en]
- Forbes: The problems with passwords. http://www.forbes.com/sites/tomkemp/2011/07/25/the-problems-with-passwords/
- PCWorld: Password Reuse Is All Too Common, Research Shows. http://www.pcworld.com/article/219303/password_use_very_common_research_shows.html
- The Independent: Microsoft: 'You're better off reusing old passwords than creating new ones'. http://www.independent.co.uk/life-style/gadgets-and-tech/news/microsoft-tells-internet-users-that-they-are-better-off-reusing-old-passwords-than-creating-new-ones-9610324.html
- O'Gorman, L. (2003). Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 91(12), 2021-2040.