Andy Kemshall, SecurEnvoy’s technical director and co-founder, looks at how passwords work and offers his advice for strengthening them
Get Safe Online Week, which ran at the beginning of November, is an annual event to raise awareness of internet safety issues. It got me thinking - with most of us logging on (the technical term is authenticating) to the internet to access various websites and applications, often with just a user name and password, can we ever be safe online? Is a password enough? Well, this is my view on the subject.
I suppose the best place to start is by answering the question, “what is a password.”
Simply, it’s a method of linking your digital identity with your real identity by authenticating something you know. There are actually three known ways to do this:
? something you know, such as a password
? something you own, such as keys and credit cards, and
? something you are, such as finger print or DNA – also referred to as biometrics.
A password is basically a single factor authentication based on the first method.
The issue, as I see it, is that there is no such thing as an uncrackable password. This is especially true once you’ve used it online as, effectively, you’ve broadcasted it publicly.
Criminals employ a number of methods to capture these ‘keys’ to our identities:
? They guess the password: the human brain likes to associate passwords with easy to remember things - like dates, names, hobbies, etc. This information can be located from social media web sites and used to quickly guess a password. This technique is very fast but a complex password will make it much harder, and perhaps impossible.
? Shoulder Surfing: This is when someone watches you enter your password, such as on a train or from the next table. Again it is very fast, but the hacker has to be close.
? Keystroke Logging: this is the virtual equivalent of shoulder surfing using software installed on your PC that monitors the keys pressed and sends them back to the hacker. This could be small hardware device plugged into your PC, in-line with the keyboard cable, recording all keys pressed. Again, a quick cracking method, but either the hacker needs access to your machine, or the software installed - typically via malware or virus attacks.
? Screen scraping: similar to keystroke logging, this takes copies of the screen instead of the keys pressed. This technology is used when passwords, pins or other logons require you to click on screen based keyboards or interact with graphics displayed on a screen.
? Just ask: A simple but effective technique where the fraudster calls you, claiming to be from a trusted source, and simply asks you for your password. You’d be surprised how many people are duped by this method!
? Phishing: an email is sent that convinces you to login to a bogus web site and enter your password. Very quick and why our advice is never to click on a link.
? Brute Force Attack: a program runs through all possible combinations until the correct password is located. Modem programs can check up to 100 million passwords per second and start with a dictionary of all known words and then try all combinations numbers and characters. This method can take a long time, depending on password strength.
There are obviously some methods that you can take steps against but, with brute force or guessed attacks, password strength really is the key.
What is a strong password?
A fictitious word or phrase will take longer to crack. For example, based on 100 million checks per second (which is achievable with automation) a truly random password would take the following to hack:
Password length Tries per second Time to break
4 100 million 0.16 seconds
6 100 million 11.4 Minutes
8 100 million 32 Days
10 100 million 365 years
Research confirms that most users can remember four characters of a complex password very easily. The problem is, when this is extended to five and over, it dramatically falls off. Unfortunately hardly anyone is able to remember a six character complex password or greater.
Can technology help?
Clearly it is impossible to remember multiple complex passwords, especially if they are longer that eight characters, and writing them down defeats the object. That said, you’d be amazed how many offices I’ve visited where people have their complex code written on a post-it note and stuck to their screens.
One option is to hold them securely in a password vault. However even this is fallible as, if the authentication to this store is compromised, then the hacker has the keys to the kingdom and the result is all your separate passwords have been compromised in one swoop! Additionally given that a used password is effectively publicly known, and therefore effectively compromised, it seems little point in storing it for re-use later!
Are passwords the only option?
The password, on its own, does not provide a viable solution for user authentication if we want to be 100% secure.
If you recall, at the start of this article, I outlined three ways to authenticate someone - something you know, something you own or something you are.
By combining two of these methods will give a stronger level of authentication. The term two factor authentication was derived from this principle which we all use in our day to day life when paying with chip and pin. Some banks have recently adopted this method – such as HSBC’s secure key.
I’d also like to clarify, at this point, that entering certain characters from a memorable phrase does not constitute two-factor authentication - it’s still something you know so it’s just duplicating something you know!
However, this can be expensive for organisations to administer and manage.
The challenge is how to achieve this without requiring expensive hardware devices. It can be very frustrating if you want to transfer some money in your account and your authentication device (the Secure Key) is somewhere else. Also, there’s the problem of limiting people to which logon environments will be supported, especially as flexibility is the name of the game – I can’t be the only one who wants to be able to use my laptop, tablet or even my mobile phone and flit between them depending on where I am and what I’m doing.
The third method (something you are) clearly needs hardware scanners and, at the moment, really isn’t a practicable solution.
Tokenless Authentication
With almost all of us having a mobile phone, and over five billion of them in use today, these make the ideal second factor for a tokenless based two factor authentication solution.
The phone can be used to receive a one-time passcode via SMS that is entered along with a pin to give a much higher level of security. By receiving a new passcode as soon as the old one has been used eliminates any signal loss or delivery delays that may be associated with SMS delivery. It also acts as a warning as, if I haven’t logged into my bank account and my phone gets a new message, I know that someone else has tried and let the bank know.
So, to go back to my first question, can a password ever be strong enough? I don’t think so, no. But, when there’s a perfectly workable alternative, shouldn’t the organisations that want to interact with me try harder to keep me safe online?
For more information visit www.securenvoy.com
Andrew Kemshall is the Co-founder and Technical Director of SecurEnvoy. Before setting up SecurEnvoy which specialises in tokenless 2 factor authentication, Steven was worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two factor authentication in the fields of architecture, design and development of next generation authentication software.