Tuesday, May 7, 2013

How I learned to quit worrying and love the password

Even in a world saturated with biometric ID management applications, Username/Password verification will still be around.

For one thing, there is no logical limit to the number of password hoops users can be made to jump through, with increasing ID confidence with each consecutive correct answer. The web site for one financial services company I use asks for four pieces of information before allowing me to access the account:
  • user name (a sort-of password)
  • password
  • PIN (really just a shorter password)
  • (and since I have cookies pretty well locked down on my most-favored browser and haven't bothered to create some sort of exception) one of a menu of security questions is asked every time I log on.
Even though the human representatives employed by this company are uniformly delightful, efficient, and helpful individuals any number of other ID steps could be added to the process before I shunned the web site. After all, the ID steps on the phone with the call center are no less rigorous.

For another, people aren't the only things that claim an identity before accessing IT systems — computers do it, too, and they don't have biometrics. Passwords are also a cheap, well-understood, flexible technology that supports certain access control models that biometric techniques don't.

The challenge that system-designers interested in biometrics now face is to identify where using Username/Password is too risky (or piling them up, too cumbersome), and where biometrics can be used to reduce risk to an acceptable level. This requires identifying everything currently authenticated with a Username/Password and a determining which of these things are more efficiently protected using biometric authentication, then implementing the change. This is far easier said than done.

For starters, and we've been banging this drum for a long time, it's a really good idea to require biometrics for access to tables of stored usernames and passwords. The long and short of it, however, is that passwords are going to be around for a long, long time.

As long as that's the case, it's good to know a little more about how passwords work as a technology and the following article is a great resource.

Passwords: How to choose one and why we need them (PHYS ORG)
Perhaps it is because they are so ubiquitous that we take them for granted without ever really understanding how they work. Passwords are an example using of something you know to prove your identity. In security circles it is often said the way we prove our identity falls into three categories:
  • something you have, such as a bank card
  • something you are, such as some form of biometric such as a photograph of the user, fingerprint or iris scan
  • something you know, with passwords being the most common example

What are passwords really made of?

Well-designed password systems never store passwords directly. What's stored instead is
  • the hash – a cryptographic function that takes a sequence of characters or numbers and generates a sequence based on it
  • the salt – some additional characters which do not form part of the password, but are added during encryption to make it harder for hackers to hack password files
The output of a hash function tells you very little about its input so is very difficult to reverse. It takes vastly more computation to reverse a hash value than it takes to calculate it. When a password is entered into a system, the hash of the password and any salt value is calculated and compared with the stored value.
Read the whole thing. It's quite good, ending with two points upon which the author and I are in complete agreement: There is nothing as cheap and as well understood as passwords. They are likely to be around a while yet.

Like any other technology, there's a right way and a wrong way to use passwords. If you get to know them, when to use them, how to use them properly, and the techniques used to undermine them, your relationship with the password can be a long and happy one.

See also:
Why passwords are great;
More on the awesomeness of passwords;
Coopetition: Biometrics and Passwords and
Biometrics, passwords & the Illinois water plant hack attack

Tangentially related...

UPDATE: Government lab demonstrates stealth quantum security project (GIGAOM)
Quantum cryptography is supposed to be a kind of holy grail solution for securing the smart grid, cloud computing, and other sensitive networked resources. The technology is still experimental, with only a handful of companies globally providing quantum key distribution services. Now, researchers at Los Alamos National Lab have quietly revealed that they’ve successfully been running what amounts to a mini quantum internet for the past two-and-a-half years.

The basic premise of keeping information secret using quantum mechanical phenomena lies in what is popularly called the observer effect. A quantum message, sent as photons, will be permanently altered if someone observes it, so the sender and recipient will be able to tell if there was a breach.