Share this
The Future of Passwords
by Reflare Research Team on Aug 5, 2022 7:17:00 PM
Companies are entirely aware of the challenges posed by passwords as an authentication mechanism, and continue to find a way to replace them with something better. But are they good enough? And more importantly, are users ready to change?
First Published 23rd November 2021 | Latest Refresh 5th August 2022
What do you mean 'solarwinds123' can't be my password? It was in my last job, and that worked fine!
4 min read | Reflare Research Team
History lesson
It was at Bell Labs in the 70s where the cryptographer Rober Morris Sr. devised a process called “hashing” in which a string of characters is transformed into a numerical code that represents the original phrase. Before hashing was introduced, passwords were normally stored in plaintext, which meant, anyone with access to the password file or database, would be able to use the usernames and passwords stored to successfully authenticate themselves.
With hashing, however, it is no longer necessary for the actual passwords to be stored in the password file, making it harder for a malicious actor to abuse the login credentials even if they have access to the password database.
Hash for all
Hashing was quickly adopted in early operating systems such as Unix as part of their authentication mechanism. Hashing itself, however, is far from perfect and is vulnerable to a rainbow table attack. A rainbow table attack is a type of hacking where the attacker tries to use a rainbow table to crack the stored passwords. A rainbow table is a precomputed table of password hashes.
To thwart a rainbow table attack, “hash salting” was introduced. Hash salting makes it harder for the perpetrator to crack a password by inserting a random string that is unique to each user to their password before hashing it.
For example, when a user enters their password at login, instead of immediately hashing the password and then comparing it to the hash stored in the database, the salt string (usually generated when a new account is created, and also normally stored in the same file or database as the hash) would be first appended to the password before it gets hashed.
This renders pre-computed hash tables useless unless the hashes contained in them were generated with the same salt string appended.
The power is yØüⓡ5
Computing devices, however, are becoming more powerful each day. Modern GPUs combined with password cracking software such as Hashcat can crack millions if not billions of passwords per second making password cracking easier than ever, especially against weak passwords. According to Microsoft, there are a whopping 579 password-related attacks every second equivalent to around 18 billion every year and the majority of security incidents involving enterprise and consumer accounts start with attacks against weak passwords.
Many organisations respond to these password-cracking hardware and tools by adopting ridiculous password rules. These rules may include requiring the passwords to have symbols and numbers, being case sensitive, and disallowing previous passwords. This leaves some users or employees who struggle to remember their passwords no choice but to write down their passwords on sticky notes or store them on their computers.
They may also create passwords that are easy to guess that are based on information that is easy to find, such as their children's names or important dates like birthdays - negating the purpose of having complex password rules.
Many users refuse to do the 'two-step'
Other than strict password rules, many organisations these days also offer additional security features such as two-factor authentication mechanisms to help mitigate security issues resulting from weak or stolen passwords. There are dozens of different types of two-factor authentication mechanisms, including sending challenge codes via SMS text, email, or simply generating them using authentication devices etc.
However, these additional layers are far from perfect and more often than not cause usability issues. In some cases, forgetting your password and losing the recovery key could mean losing your data forever. This forces many users who don’t like the hassle or are afraid of losing their data to either not enable these security features, or if they are unable to do so - choose to buy products that are less secure, which is bad for business.
Q: Are we banishing the password?
Companies such as Microsoft are completely aware of the challenges posed by passwords as an authentication mechanism and for that reason, continue to find a way to replace them with something better. In early 2021, Microsoft took their first step toward an internet without passwords by announcing that users can now login to most of the company’s products, websites, or services without requiring a password. Instead, users can login into their Microsoft account by providing their fingerprint, or other secure unlock, on their mobile phone.
Microsoft believes that having no passwords will make them more secure than having passwords. Unlike passwords that can be guessed and stolen, according to them, only you can provide fingerprint authentication or the correct challenge code sent to your mobile at the right time.
Q: Are the alternatives any better? A: Meh, kinda-ish.
While we do agree with Microsoft that the future is passwordless, we would also like to kindly remind our readers that the alternatives are far from perfect themselves. In 2020, the researchers at Cisco’s Talos security group managed to bypass fingerprint authentication with an 80% success rate.
Earlier, a group of researchers demonstrated how they could bypass Apple’s FaceID and gain access to a locked phone using just a pair of glasses with tape on the lenses.
Also, let’s not forget how some malware or threat actors were able to intercept one-time security codes sent to their victim’s mobile via third-party apps, tricking phone companies to redirect SMSs intended for the victims to them, and hijacking their victim’s cell service completely through SIM swapping.
In other words, no matter what all the very smart computer scientists and cybersecurity researchers come up with, motivated threat actors - especially those that are well funded or sponsored by nation-states, will always find a new and innovative way to beat them. So while the future might be passwordless, let us not deceive ourselves into believing that we have found the holy grail solution to the user authentication problem.
Passwordless futures do solve one problem for certain, though. It solves usability issues that arise from having to type long passwords. So, even if these new solutions are only as good as passwords, not having to remember or type in a long and complex password is a massive pain reliever. We, therefore, applaud Microsoft for taking this new direction and we hope that more companies will also follow suit if they haven’t already done so.
The evolution of the password is far from concluded. Innovative organisations must continue to push forward to develop meaningful solutions that secure our technologies while being workable with (at times irrational) human behaviour.
Speaking of irrational human behaviour, consider subscribing to Reflare's Research Newsletter and read our related research below to stay up-to-date with what other foolish things users are doing to make the jobs of cyber security professionals so infuriatingly challenging.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)