Research

The Future of Passwords

Written by Reflare Research Team | Aug 5, 2022 6:17:00 PM

Companies are entirely aware of the challenges posed by passwords as an authentication mechanism, and continue to find a way to replace them with something better. But are they good enough? And more importantly, are users ready to change?

First Published 23rd November 2021  |  Latest Refresh 5th August 2022

What do you mean 'solarwinds123' can't be my password? It was in my last job, and that worked fine! 

4 min read  |  Reflare Research Team

History lesson

It was at Bell Labs in the 70s where the cryptographer Rober Morris Sr. devised a process called “hashing” in which a string of characters is transformed into a numerical code that represents the original phrase. Before hashing was introduced, passwords were normally stored in plaintext, which meant, anyone with access to the password file or database, would be able to use the usernames and passwords stored to successfully authenticate themselves.

With hashing, however, it is no longer necessary for the actual passwords to be stored in the password file, making it harder for a malicious actor to abuse the login credentials even if they have access to the password database.

Hash for all

Hashing was quickly adopted in early operating systems such as Unix as part of their authentication mechanism. Hashing itself, however, is far from perfect and is vulnerable to a rainbow table attack. A rainbow table attack is a type of hacking where the attacker tries to use a rainbow table to crack the stored passwords. A rainbow table is a precomputed table of password hashes.

To thwart a rainbow table attack, “hash salting” was introduced.  Hash salting makes it harder for the perpetrator to crack a password by inserting a random string that is unique to each user to their password before hashing it.

For example, when a user enters their password at login, instead of immediately hashing the password and then comparing it to the hash stored in the database, the salt string (usually generated when a new account is created, and also normally stored in the same file or database as the hash) would be first appended to the password before it gets hashed.

This renders pre-computed hash tables useless unless the hashes contained in them were generated with the same salt string appended.

The power is yØüⓡ5

Computing devices, however, are becoming more powerful each day. Modern GPUs combined with password cracking software such as Hashcat can crack millions if not billions of passwords per second making password cracking easier than ever, especially against weak passwords. According to Microsoft, there are a whopping 579 password-related attacks every second equivalent to around 18 billion every year and the majority of security incidents involving enterprise and consumer accounts start with attacks against weak passwords.

Many organisations respond to these password-cracking hardware and tools by adopting ridiculous password rules. These rules may include requiring the passwords to have symbols and numbers, being case sensitive, and disallowing previous passwords. This leaves some users or employees who struggle to remember their passwords no choice but to write down their passwords on sticky notes or store them on their computers.

They may also create passwords that are easy to guess that are based on information that is easy to find, such as their children's names or important dates like birthdays - negating the purpose of having complex password rules.

Many users refuse to do the 'two-step'

Other than strict password rules, many organisations these days also offer additional security features such as two-factor authentication mechanisms to help mitigate security issues resulting from weak or stolen passwords. There are dozens of different types of two-factor authentication mechanisms, including sending challenge codes via SMS text, email, or simply generating them using authentication devices etc.

However, these additional layers are far from perfect and more often than not cause usability issues. In some cases, forgetting your password and losing the recovery key could mean losing your data forever. This forces many users who don’t like the hassle or are afraid of losing their data to either not enable these security features, or if they are unable to do so - choose to buy products that are less secure, which is bad for business.

Q: Are we banishing the password?

Companies such as Microsoft are completely aware of the challenges posed by passwords as an authentication mechanism and for that reason, continue to find a way to replace them with something better.  In early 2021, Microsoft took their first step toward an internet without passwords by announcing that users can now login to most of the company’s products, websites, or services without requiring a password. Instead, users can login into their Microsoft account by providing their fingerprint, or other secure unlock, on their mobile phone.

Microsoft believes that having no passwords will make them more secure than having passwords. Unlike passwords that can be guessed and stolen, according to them, only you can provide fingerprint authentication or the correct challenge code sent to your mobile at the right time.

Q: Are the alternatives any better? A: Meh, kinda-ish.

While we do agree with Microsoft that the future is passwordless, we would also like to kindly remind our readers that the alternatives are far from perfect themselves. In 2020, the researchers at Cisco’s Talos security group managed to bypass fingerprint authentication with an 80% success rate.

Earlier, a group of researchers demonstrated how they could bypass Apple’s FaceID and gain access to a locked phone using just a pair of glasses with tape on the lenses.

Also, let’s not forget how some malware or threat actors were able to intercept one-time security codes sent to their victim’s mobile via third-party apps, tricking phone companies to redirect SMSs intended for the victims to them, and hijacking their victim’s cell service completely through SIM swapping.

In other words, no matter what all the very smart computer scientists and cybersecurity researchers come up with, motivated threat actors - especially those that are well funded or sponsored by nation-states, will always find a new and innovative way to beat them. So while the future might be passwordless, let us not deceive ourselves into believing that we have found the holy grail solution to the user authentication problem.

Passwordless futures do solve one problem for certain, though. It solves usability issues that arise from having to type long passwords. So, even if these new solutions are only as good as passwords, not having to remember or type in a long and complex password is a massive pain reliever. We, therefore, applaud Microsoft for taking this new direction and we hope that more companies will also follow suit if they haven’t already done so.

The evolution of the password is far from concluded. Innovative organisations must continue to push forward to develop meaningful solutions that secure our technologies while being workable with (at times irrational) human behaviour. 

Speaking of irrational human behaviour, consider subscribing to Reflare's Research Newsletter and read our related research below to stay up-to-date with what other foolish things users are doing to make the jobs of cyber security professionals so infuriatingly challenging.