Of passwords and pass fails
2 October 2015 | 0
Having been to a few events recently on the topic of security, a recurring theme through all was the need to make security compliance for users easier.
The oft cited example is the need for complex passwords that have to be changed regularly, without using previous instances.
We’ve all faced the dilemma of having to come up with a minimum string of 8 characters with upper and lower case letters, numbers and special characters in combination. And then, just as we’ve patted ourselves on the back for doing so in a way that was not only memorable, but also type-able without giving ourselves RSI, the system tells us to change it again, leaving us thinking, has a month/six weeks/ three months (delete as appropriate) gone already?
“We all know, that if you make compliance with anything difficult, people will, with the best of intentions, simply subvert”
The promise of two factor authentication, biometrics and other clever ways to avoid such passwords never seems to have fully materialised.
I recall some years ago, when still in the security industry (so that’s at least 10 plus) a system where facial recognition was employed. This was not facial recognition of the user, but rather by the user. The log-in consisted of selecting a six-face combination pass code from a bank of several hundred thousand. The logic of this being that the human brain has rather a large proportion of its cognitive function given over to just that: recognising and reading faces. This will revolutionise user security, I thought then.
So, how many of you logged into a system today with pass faces?
Not many, I’ll wager.
But apart from the failure of biometrics, pass faces, two factor and various other so called solutions to the user identity and access issues to eradicate passwords, why is this still an issue?
We all know, that if you make compliance with anything difficult, people will, with the best of intentions, simply subvert. There have now been several instances of passwords being printed and pinned up on the wall and subsequently being broadcast on national television, let alone Post-It notes stuck to servers, laptops or desktops. Out of sheer frustration and in order to actually get their job done, users will find a way, often at the cost of the security that the log-in system was supposed to provide in the first place.
Why has it taken so long for the security industry to realise that end user compliance is still an issue?
To be honest, I’m not sure what the answer is.
There have been suggestions that passwords are not the problem, and that we should simply employ different strategies to generate them that are memorable.
Manuel Blum, a Turing Award winner, has suggested that algorithms to generate passwords are all that we need to remember, not the passwords.
So, for example, come to log into your Gmail account. Your algorithm could be a substitution system based on the domain name, combined perhaps with a colour and a number that then gives you your magic 8 character, yada-yada-yada, password that need never be remembered — only the means to generate it.
Others have gone for measuring and comparing the way that a password is typed as well as the actual password itself. Cadence, rhythm and even pressure could be a part of the password and stored as an abstract.
Another approach is based on the zero knowledge proof concept. This is where a password is created and then a special algorithm creates an abstract from it.
When a user then makes a log-in request, the server asks for key aspects of the abstract, never the actual password. Only when the server is satisfied that the answers provided match the abstract it keeps, does it allow access. But the critical point in this system is that the password itself, from which the abstract is created, is never transmitted. This means that even in the case of a man in the middle or injection attack, the system is hard to fool unless the method of generating the abstract is compromised.
While these last two methods may reduce the reliance on the need to have very complex, seemingly random passwords that are hard to remember, they would not necessarily reduce the need to change them frequently, which again leads to difficulty in compliance.
There is still, it seems, a definite requirement to make compliance more natural for human 1.0, overcoming that old adage: there’s no patch for stupid.