“One of the most destructive notions against good and practical IT security is the supposed axiom that security is the opposite of simplicity.” Aviram Jenik, CEO, Beyond Security
A few months ago, Microsoft announced that they are dropping their password expiration policies from their security baseline. Just like that, a policy of mandatory password changing that we held dear for decades was pronounced to be ancient and obsolete.
Password setting in Active Directory
This announcement went directly against the fundamental tenets of security best practices that we have known for the last twenty years. Not to mention the fact that most compliance directives, including some of the most dominant security standards, oblige us to implement password expiration.
In my opinion, Microsoft didn’t go far enough. It is not the expiration policies that are obsolete – its the whole idea of passwords as the foundation of security that must be put to rest.
We’ve always understood security and usability to have an inverse relationship. Passwords are fundamentally flawed. They offer the worst of both worlds – poor usability and poor security. But what if I told you that by letting go of passwords we can finally make usability and security work together, not against each other?
Psychology of password-choosing, or how do people choose passwords?
Security pros tend to look down on users who use “password” or “12345” as their password of choice.
Troy Hunt, conducted A brief Sony password analysis after the breach. He found the “alarming” results.
- Passwords were relatively short (usually 6 to 10 characters)
- Simple (less than 1% had a non-alphanumeric character)
- Predictable (more than a third were in a common password dictionary).
But maybe, if the password “123456” was the clear runaway winner in 2019, with 23.2 million accounts using the easy-to-crack code, there is something wrong with the whole notion of passwords?
The human brain likes simple patterns. So the users default to passwords that are easy to remember and inspired by the words of personal significance or other memorable patterns. Moreover, attempts to obfuscate or strengthen passwords usually follow predictable patterns.
How have we made passwords more secure?
Any IT pro will tell you that users are incredibly creative when it comes to constructing simple passwords while bypassing the restrictions set by the password policymakers. So the IT pros are always playing catch with the users – the user finds a way to construct a simple password, the IT pro changes policy. And so they go round and round.
“Nonsense!”, say security pros and make up a yet again more complex password policies.
Now the password must contain a gazillion characters and a combination of upper, lower case letters and at least three special characters. Since “.FQjpRx]qV^4t=rb” is fundamentally more secure than “123456”, then by forcing the user to select a secure password from the get-go we finally solve the issue! Or so the thinking goes.
Users can’t remember many complex passwords. They can only remember one at best. So now they reuse the same complex and “secure” password across all the services they use online. What can go wrong there?
The massive credential dumps of the recent years, that’s what.
“The reuse of login credentials, in my opinion, is the greatest security flaw that we have today.” Kyle Milliken
Credential stuffing is becoming an extremely popular Mode Operandi of cybercriminals, and for a good reason – password reuse is the true curse of the complex password era. And yet, security experts tend to start playing the “blame the users” game, completely ignoring the fact that security policies are what drives the users into password reuse, to begin with.
The Problems with Passwords in general
Security and usability seem to be at an impasse. Companies and businesses don’t know how to adjust to this dilemma. They don’t want to make authentication so complicated that digital services become unusable, yet security must be maintained.
- When humans are tasked with picking a password, too often, they are easy to guess or predict.
- When humans are forced to create passwords that are hard to remember, they’ll write them down where others can see them or resort to password reuse.
- When humans are forced to change their passwords often, they’ll make a small and predictable alteration to their existing passwords, or forget their new passwords.
- The only secure password is the one the user can’t remember, but what good does it do?
Why are passwords always going to be a problem?
No human being can come up with and remember hundreds of uncrackable passwords – a unique password for each service they use. First of all, a truly secure password is close to impossible for a human brain to memorize.
But another and more fundamental issue is that what is deemed “uncrackable” today, will not remain so tomorrow. Moore’s law ensures that over time, computers using brute force can crack passwords faster.
Nowadays, everyday users are being challenged not by other humans trying to guess the “secret,” but by computers with significantly more speed and processing power that constantly improves.
How to thwart credential stuffing, brute force, and phishing?
Multi-Factor Authentication (MFA) is increasingly becoming accepted as the solution to our current conundrum. By adding additional factors on top of the password, “something you know” makes authentication much more secure. Additional factors such as “something you have” (phone or FIDO key) and “what you are” (biometrics) make it increasingly difficult for hackers to access accounts.
But MFA that is based on passwords remains to be fundamentally flawed. Passwords are what makes the credential stuffing, brute force, MiiM, social engineering, and phishing attacks tick. In the end – it there is no password to guess, steal or crack – none of these attack methods would work.
Besides, traditional two-factor authentication solutions are expensive and hard on users. We’ve always understood security and usability to have an inverse relationship. If our reliance on humans and “memorized secrets” is a vulnerability in and of itself, what would happen if we kept the advantages of the MFA while removing the password completely?
Enter passwordless authentication.
Passwordless Multi-Factor Authentication (MFA) is an identity verification process that requires a user to provide multiple, mutually-independent proofs of identity, without requiring a password. As a result, both usability and security are improved by an order of magnitude. No passwords to come up with, remember, and reuse means there are no passwords to phish, hack, or crack.
By removing the password altogether, we can finally stop the endless tug of war between security and usability.