Passwords: Real-world issues, tips and alternatives

Per Thorsheim is an independent information security adviser based in Norway. He is the founder and main organizer of PasswordsCon, the first and only international conference on passwords.

In this interview, Thorsheim talks about the complexities involved in keeping strong passwords, offers practical advice for organizations and explores alternatives.

Breaches keep reminding us about the importance of passwords, yet cybercriminals keep using the same tricks to take advantage of the weak ones, and steal information from even the biggest of companies. Why is this still happening?
First of all it is important to say that very few, if any, large user/password database breaches we’ve seen over the past years actually happened because of bad passwords. The initial compromise happened because of SQL Injections or a wide range of other software vulnerabilities.

After the initial attack user databases have been copied by the attackers, and in quite a few cases those data have ended up for public display on various online services.

Although we have observed targeted attacks happening in the aftermath of such large breaches based on leaked credentials, my personal opinion is that such attacks have been both rare and limited in size given the total number of leaked credentials we’ve seen.

So why are these attacks still happening? Well, changing the world cannot be done overnight. A more real-world explanation: there are few risk analysis reports justifying the cost of replacing passwords with presumably more secure solutions.

Sometimes we forget that there will always be breaches. Threats, weaknesses, flaws, errors, vulnerabilities or whatever you’ll name them, they will always be there. Fix one, find two more. Which explains my next answer:

What should organizations do?
Risk analysis. Period. We have to accept a certain annual loss expectancy, and put that into our calculations of maintaining positive and sustainable business for the future. Rather often we’ll have to face that risk-reducing efforts just doesn’t make it through the cost-benefit calculations for any organization.

A few years ago I participated on a panel discussion about introducing biometric authentication to ATMs and perhaps even payment terminals. From an isolated monetary view the current losses for banks in a european country due to ATM fraud was increasing every year. But considering only the cost of replacing them with new terminals that included biometric authentication options, current and estimated future losses would be the most economical option “in the foreseeable future”. And that didn’t include the full costs of changing the entire backend infrastructure to support biometric authentication!

On the other hand financial authorities and financial institutions in this specific european country didn’t just look at the isolated monetary losses due to ATM fraud. They also included the possible risk and cost of customers losing trust in ATMs, and instead demanding physical bank offices to open up again. As we should all know by now running a staffed branch office is quite a bit more expensive than having ATMs and a smartphone app to do the job for you.

With that in mind, the risk of customers losing trust in any service you provide, current estimates said that biometric authentication could very well start appearing in ATMs over the next 5-10 years.

Businesses need to do their risk analysis properly, and at some point loss of public trust in products and services provided should become part of the equation. Obviously this is not something that can be done overnight.

Having said that I fully encourage businesses to look for quick fixes that will increase security and usability as well regarding passwords. Perhaps one of the first recommendations should be to actually crack all passwords of employees and customers, to better understand current risks of online and offline password attacks? I’ve seen way too many organizations who have no clue whatsoever on their exposure of online login prompts subject to simple online password guessing.

It’s popular opinion that a strong password in combination with two-factor authentication and a password manager is a winning combination. Do you agree?
Yes, but regretfully it is a solution that in most cases require at least some technical knowledge, as well as increasing cost for both service provider and user. Not to forget that it also increases complexity and risk of design errors, flaws and vulnerabilities that can be exploited.

I really do not believe technology to be the perfect replacement for human weaknesses in most cases, and I still recommend writing down most of your passwords on a piece of paper that you keep at home. Definitely hard to get remote access to, compared to any electronic password manager available out there.

How can organizations make employees choose security over convenience?
By making security more user friendly. To me that doesn’t have to be a contradiction. Security must support the business strategy of the organization, not fight against it. Ask yourself the following question: “Would you accept increasing the minimum length of your password to 12 characters, if you were allowed to change your password only once every 13 months?”

Lowering the change frequency increases our ability to learn and remember our password, and a reasonable tradeoff is to increase the minimum length. As a bonus an organization would financially benefit from lower “forgotten password” helpdesk inquiries and increased productivity among staff.

Plans of changes to security should be subject to usability testing with affected end-users before they are eventually developed and deployed to the organization. Perhaps a radical thought to actually involve end-users, but without their support security will lose for sure.

Is there a viable alternative to passwords coming in the near future?
NO. There are many alternatives available, but to me they are not replacement in most cases, only ways of either simplifying or hiding passwords for the end user. At the base of most software available today, a username and password is what authenticates us. Everything else is usually implemented as an additional layer between the user and whatever application, database or operating system he or she authenticates to.

What type of technology could make them disappear while making users more secure?
Well, biometrics of course, and other types of 2-factor authentication. Current 2-factor options available for well-known services such as Facebook and Google are easy to configure for those who knows how to, and doesn’t add any additional cost or time for most users.

Through my own work and with PasswordsCon especially, we’ve seen many great efforts to simplify, improve and perhaps get rid of all those pesky passwords. Still most of us have more passwords than ever before, and that number keeps growing for every year.

A simple step would be to simplify even more the process of configuring 2-factor authentication across large services, and to promote Single Sign-On or password synchronization across internal systems in large organizations. After all most organizations seem to have only one password policy, but tens of if not hundreds of different implementations of it. Doesn’t really appear user friendly or inline with business strategies of streamlined processes, does it?