Why Passwords stink?


The passwords came about when the state of art computers occupied an entire floor of the building and today a smart refrigerator has more compute power than those old state art computers.  Antique objects’ value grew over time but antiquated password technology value has diminished to becoming a liability.

A password is one uppercase letter, one special character, one number, and at least eight characters long. There are over half a trillion passwords in use today and an average user has about 100 online accounts. Expecting the user to remember all the passwords that are at least eight characters long is infeasible and the majority of the users reuse the passwords for their online account.  The password which is used to secure the account has unfortunately become the weakest link in the securing the account

Passwords: Shared Secret

A shared secret is a piece of data, known only to the parties involved and the passwords are a shared secret that is known only to the user and the party on the other end. The password can be anything like “Open Sesame” and “Close Sesame” in Ali Baba and Forty Thieves story.  Ali Baba knowing the shared secret was able to enter the secret cavern and loot the riches of the secret cavern.  In present day passwords can be a passphrase, a PIN or at least 8 characters long with one uppercase letter, one number, and one special character.  This shared secret aka password is stored in the password database, which is the target of hack by bad actors.

Passwords: Security

For customers, the password has become a point of frustration and causing friction when logging in, needing to remember at least 8-character long and needing to be 12-character for a strong password. This might look like a strong password “ji32k7au4a83” but unfortunately it is a very common password in Taiwan based on Chinese characters. Adding to the challenge of coming up with a random combination of characters that is uncommon and easy to remember.  When a password gets lost or stolen (and which is highly probable), it adds to the operation cost of the organization to support its customer.

The passwords are stored in databases and the databases are the target of hacks which invariantly get hacked.  The stolen or hacked database is released on the internet for the bad actors to take advantage of.  The passwords are often reused because of difficulty in remembering multiple passwords, making them the target for malwares, phishing attacks, spear phishing attacks, and other social engineered credential stealing attacks.

In the age of social media, the majority of users’ personally identifiable information is easily available.  Sarah Palin’s Yahoo password was reset easily, as her biographical information details were readily available on the web.

Although passwords are salted and then hashed then stored in the database for better security with improved compute capacity and techniques the bad actors have found a way to overcome this security measure. The stolen/hacked password databases are routinely sold on the dark web and shared online.  The bad actors buy these databases and use automated password cracking attacks that run through username/password combinations in the databases.  The password cracking software and techniques have grown leaps and bounds, attacks like dictionary attacks, brute force attacks, and table attacks like lookup table attacks, reverse lookup tables attacks, and rainbow tables attacks are employed. The bad actors also can combine the stolen/hacked database with other datasets easily available due to presence on social media and social engineering.

Passwords: Band-Aid Solutions

To overcome the challenge of remembering passwords, coming up with different passwords, solutions like password managers, multi-factor authentication, and magic-link are provided.  The “Shared Secret” being the root cause of the password problem is not addressed, instead is pushed to a different layer or kicking the can down the road.

PASSWORD MANAGERS solve the issue of memorizing passwords, challenges of coming up with unique passwords with all the required criteria, and avoiding the reuse of passwords.  By storing all the passwords locally and on the cloud, accessible via a master password, password managers have become a source of single-point of failure and even more enticing for the bad actors to target the password manager.  The  lastpass customers who were password and tech-savvy lost their crypto-currency from their wallet in spite of following all the best practices, which illustrates the single-point of failure weakening the security

MULTI-FACTOR AUTHENTICATION (MFA)  The second factor used to improve the ability to correctly verify that the user requesting access is who they claim to be and since the authentication codes are one-time use they are not technically shared secrets. This appears at first glance to be a secure compliment to simply using passwords.

Unfortunately, MFA is vulnerable to phishing/spear phishing attacks by spoofing login pages to collect both the password and one-time use code to login simultaneously in the actual website. Also, extremely vulnerable to SIM-swapping attacks and notably victims include Michael Terpin, Bart Stephens who are crypto evangelist and tech-savvy. Notably, Chinese state-sponsored group APT20 has found a way around 2FA through a stolen RSA SecurID software token. Lastly, MFA increases friction in customer user experience during the login process requiring to have the phone readily available and nearby to enter the code.

SINGLE SIGN-ON is a great user experience reducing the need for entering password and thereby reducing the friction for the user experience. But it does not solve the underlying security issue. The session token that enables subsequent authentication can be hacked and used for nefarious access. And session tokens are often configured to remain live for a long time to keep friction low – increasing the window of compromise.  The password needed for single sign-on is still stored in the database, just kicking the can down the road without improving the security and the single sign-on password is still vulnerable.

Passwordless: Hawcx

The “shared-secret” aka password is vulnerable and insecure.  A true passwordless solution based on the public-private key cryptography technique is the path forward.  Enter Hawcx’s Zero Knowledge Proof based authentication that uses the secure principles of public-private key cryptography technique for authentication without storing the private key anywhere.