Password- Based Authentication: Vulnerabilities And Alternative Solutions

Shimrit Tzur-David | December 5, 2018

The password has been the staple of authentication for years. While passwords are still very much a part of our information technology landscape, they have been on the decline for more than a decade.

“There is no doubt that over time, people are going to rely less and less on passwords,” adding that passwords “just don’t meet the challenge for anything you really want to secure.” Bill Gates, Microsoft founder

From my days in academia studying the mechanisms that keep our information systems safe, I began taking a keen interest in the glaring weaknesses in standard cryptographic tools. I realized that in order for users to keep their identities and data safe, there would have to be a paradigm shift in the world of IT. The more popular tools would have to be dispensed with and safer, more user-friendly solutions would come into play.

Today, as the CTO of a cybersecurity firm, my team and I continue to develop tools to replace the dying password, incorporating a variety of technologies ranging from push notifications to facial recognition.

 

Passwords are the great chink in the armor.

At the root of all the problems with password-based authentication is a simple fact: Such a system relies on a secret that users must remember and present in order to confirm their identity. This point may seem straightforward enough, but it has serious implications.

The most common issue with passwords is that they tend to be extremely weak. Because we need to create multiple passwords for our many online accounts, people inevitably resort to creating simple passwords they won’t forget. Believe it or not, “123456” and “password” are not secure passwords. A Verizon report on data breaches found that 81% of hacks, perhaps even a majority, resulted from weak and guessable passwords.

“Weak passwords are a crook’s best friend. Make yours long and complex, and change them often – not just on your bank account but on your email and social media, too.”
Jean Chatzky

Another major issue comes in the form of careless practices, such as leaving hard or digital copies of passwords exposed. This trend was given national exposure earlier this year. In January, a photo showing a password to Hawaii State’s emergency alert system posted to an office monitor began circulating the internet.

In addition to risky trends on the side of employees, hackers have also spent years honing malware designed to capitalize on the inherent weaknesses of passwords. Software designed to rapidly guess even complex passwords have been around for at least thirty years. Those relatively primitive programs evolved into more powerful families of viruses such as Zeus and Dyre that use various methods (like Mimikatz) to capture passwords.

Late last year, online image sharing giant Imgur made headlines when it had over a million and a half user passwords stolen from the company database because of weak security protocols. In 2018, flaws were discovered on Intel processors that for years had allowed hackers to gain access to authentication credentials. And the list goes on.

The bottom line: As long as passwords remain the weak link in the chain of security, hackers will find ways of stealing them. Furthermore, demanding that users create tough passwords for all their accounts and change them regularly to keep their identities secure is unrealistic.

“Zero days are overrated.  Credential-stealing
is how you get into networks” Rob Joyce NSA former head of Tailored Access Operations


Enter the alternatives. For years, the industry has been producing a slew of authentication alternatives to replace passwords as the standard. These solutions span the technological spectrum, from biometrics to software tokens. The question is, with so many substantially more secure options available, why are passwords still around?

 

Old habits die hard.

When taking a look at authentication practices today, there are two drivers that are keeping passwords from exiting the stage.

The first driver is cost. Most programs and online tools today come preset with password-based authentication. Many companies have their networks and IT departments set up to support this system of identity management. Revamping authentication protocols often requires time and a large initial investment. Security tokens, for instance, require procuring a device for each individual user. Incorporating biometric technology typically demands acquiring additional pieces of hardware that can cost a business thousands of dollars a pop.

Beyond the financial obstacle, is the issue of user experience, or UX. Network users and administrators alike are simply used to how password authentication works and have made passwords a part of their routine. Introducing a whole new form of securing digital identities is often met with resistance.

 

What does this mean for the future of authentication?

To put it simply, any authentication system that seeks to step up and replace passwords needs to be easier to implement and use than passwords. There are a few candidates that may fit the bill.

SMS-based authentication, long used as a second factor in addition to passwords, is a simple, straightforward method that doesn’t require additional machinery. The problem with SMS authentication is that they leave the user with the same security issues as passwords, of the like of SS7 and SIM Swapping.

Others have pointed to the success of facial recognition. Essentially a form of biometrics, face authentication has been brought into the mainstream market by big tech companies such as Apple with FaceID and Samsung with Intelligent Scan. Facial recognition, however, has been overcome with various “spoofing” methods using photos and video footage, which is why it should always be paired with another authentication factor.

The method that seems most promising is push-based authentication. This password-free, mobile-based system, usually in the form of downloadable apps, does the authentication automatically, only requiring the user to respond to a secured push notification. Additionally, push harnesses the user’s mobile phone as an authenticator, meaning that no secondary devices are needed. You’ve probably seen that Google provides push-based authentication for its suite of online services such as Gmail.

Today, with the dangers of data breach and identity theft firmly in the public awareness, organizations and individuals alike will have to start thinking hard about bolstering their authentication. What companies and private users need to know is that while passwords are becoming more obsolete by the day, there are strong, user-friendly options for replacing this outdated method.