James Thew - Fotolia

The problem of passwords and how to deal with it

Security experts have long recognised passwords as inadequate, but finally technology is offering some viable alternative authentication methods that businesses can explore to keep their data safe

This article can also be found in the Premium Editorial Download: CW ASEAN: CW ASEAN: SMEs present security weakness

Passwords are a ubiquitous part of the digital age. They are the keys to unlocking our online profiles that are hosted across a plethora of websites. With each of our profiles necessitating a separate password, it is not uncommon for people to need up to 50 passwords.

It is therefore unsurprising that the worst passwords of 2015, as revealed by TeamsID earlier this year, remained “123456”, “password”, “12345678” and “qwerty”. This is despite continuous advice and education to the contrary, as security gives way to convenience.

A 2004 episode of Spooks, entitled “Outsiders”, dramatised the dangers of using such common passwords, where a hacker was able to access the server of a pharmaceutical manufacturing company, simply because the router was set to the default password of “Password”.

Recent events have now seen hundreds of millions of passwords leaked online, when more than one hundred million LinkedIn logins and tens of millions of Twitter logins were made available on the darknet.

The problem with passwords is that, for them to be effective, they need to be an uncommon word, of eight letters or more and not used anywhere else. However, memorising fifty or more passwords is difficult, to say the least. “It is very difficult to have complex and unique passwords for as many sites as required,” says security advisor Sean Sullivan of F-Secure. “It is understandable [that people reuse them] because they are required to use so many passwords.”

According to Microsoft’s TechNet, for a password to be effective, it needs to meet the following criteria:

  • Changed every 60 days
  • At least eight characters long
  • Use both upper and lower case characters
  • Contain a combination of alphanumeric characters and symbols
  • Unique (only used for this particular profile/website)
  • Stored using a reversible encryption.

Using these minimum requirements means that there are at least 2x1014 different possibilities.

A normal PC running a freely distributed brute force password cracker can attempt eight million passwords a second, meaning it would take up to 315 days to break a password of the type prescribed above. However, a high-end computer with 25 GPUs was recently found to achieve 350 billion passwords a second, which would only take up to 10 minutes to break the same password.

Rather than simply relying on users to follow sensible password requirements, administrators can enforce these by establishing the group policies for the network. These policies operate as a top-down hierarchal process and apply the password requirements to each of the users connected to the network.

It is advised that as well as a maximum duration, the minimum duration for a password should be one day and a history of previous user passwords should be stored to prevent them from being reused. Also, most group policy systems can be configured to lock an account after a prescribed number of failed login attempts.

Some companies go so far as to make their employees change their password every two weeks, but as Sullivan commented: “Complexity every 14 days means that it is going to be written on a post-it note.”

Similar to the localisation systems used by banks to detect unfamiliar geographic locations of financial transactions, in the event of possible fraud, servers can be configured to detect, flag and/or block access to accounts from unfamiliar regions or IP addresses.

Many companies use security questions to confirm identities. These questions are usually personal in nature, asking about the person’s background. “These are easily researchable, so security researchers say that you should lie to these questions,” says Sullivan. “The problem is that you will forget your lie, because you are not a pathological liar.”

Using password lockers is one solution for keeping track of multiple passwords, but these are only as good as the security algorithm protecting the user’s passwords. Some password lockers, such as F-Secure KEY, also contain a notes field, where users can store the answers they gave for the security questions.

Two-factor authentication is becoming increasingly adopted as a form of identification and authorisation. Most financial institutions now use two-factor authentication as part of their online banking systems. Users not only need to know their login and password, but also a random single-use code that is either sent to their security token or as a text message to a verified mobile phone.

This is not a foolproof system, as the mobile phone or security token could be stolen. But using two-factor authentication means that there is an addition level of security to overcome before access is gained.

Biometric authentication, the process by which a user’s identity is confirmed by methods such as fingerprints, voiceprint or facial recognition, is becoming increasingly used as the systems become more affordable.

Biometric security at HSBC

HSBC recently introduced biometric security for their 15 million First Direct customers. The HSBC Banking application on Android and iOS devices will now offer First Direct customers the opportunity to identify themselves using finger and voiceprint authentication, rather than stating their telephone security password or PIN number. A wider rollout to the rest of HSBC’s customers is expected by the end of 2016.

The voice recognition software, provided by Nuance Communications, is so accurate that it is even able to differentiate between identical twins. Through analysing speech, the voice recognition software is able to measure the speed, cadence and pronunciation, as well as the speaker’s physical aspects, such as the shape of their larynx, vocal tract and nasal passages.

Read more about password security

  • A report of a cache of millions of stolen webmail credentials could finally drive morewidespread adoption of two-factor authentication say security experts
  • Here are five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft
  • Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device
  • The Fido Alliance takes another step closer to defining a standard web-based API, as industry support for its password-killing standards gains momentum

However, this accuracy also means that it may deny access if an account holder has a sore throat, or if customers have recently switched devices and are therefore using a new microphone.

Although HSBC was not the first bank to offer biometric security to their customers, it is certainly the largest planned rollout of voice biometric security technology in the UK.

Despite the inevitably large financial impact this rollout will have, HSBC will no doubt be able to regain this through swifter banking (as authentication takes just over 10 seconds), a reduction in callcentre staff and a decrease in fraudulent activity, due to the increased security that biometric systems offer.

However, the cost is not as high as might be expected because it is only the software that needs to be implemented. All of the biometric authentication is performed using the customer’s own devices.

The advantage of biometric authorisation is that the data is almost impossible to mimic and that the users always have it with them. People cannot leave a finger at home, or have it stolen without realising, as might occur with a security token.

Systems not foolproof

However, these systems are still not foolproof. “Fingerprints are unique to each individual, but to a computer they might look the same and facial recognition has been fooled with photographs,” says technical manager Wayne Street of ID Management Systems. Fingerprint scanners have also been fooled by fake gelatine fingerprints, and back in 2002 by the gummy bear hack.

Some companies have found they are encouraged to use biometric security systems due to the high security standards expected of them by their corporate clients. Others have wanted the ability to remove a person’s access to a building, such as if they have left the company, without having to change pin codes for everyone else. However, it has not always been successful.

“We tried a biometric lock for our main office door, but after months of frustration we have given up,” says Jeremy Stern, managing director of PromoVeritas managing director. “The unit was professionally fitted but caused us regular problems – not recognising fingerprints, then resetting itself – in the end we got our money back and have an old-fashioned key padlock.” 

Rather than using biometrics as an alternative to passwords, F-Secure’s Sean Sullivan suggests that using them as a form of login may be a better tactic. “For businesses that have strong legal obligations to protect their data, I do not think they should rely on biometrics as a password,” explains Sullivan. “If somebody comes up with a solution where biometrics [are] used as a username, rather than a password, then that is great. Then two-factor authentication is right there on my person – my finger plus my password.”

The future of passwords

But what does the future hold for passwords? Google’s Advanced Technology and Projects division are intending to replace passwords for Android apps with a trust score. Currently called Project Abacus, the trust score will be calculated based on typing speed, vocal inflections, facial recognition, as well as proximity to familiar Bluetooth devices and wireless routers. Should the user not meet the minimum trust score criteria, they will be subsequently asked to submit their password to authenticate their identity.

To ensure they are adequately protected, companies should always ensure they change any default passwords and enforce the minimum recommended password requirements through the group policies of their networks. For companies that handle confidential data, it is now worth considering the use of second-factor authentication through biometrics or security tokens. Given the wide range of systems currently available, determining whether a particular system will be cost-effective is a balance between cost and risk.

Ongoing developments are leading to increasingly robust authentication systems that are better able to resist future network breaches. Companies that fall behind will risk losing customer confidence, while those that stay ahead will demonstrate how seriously they take data security.

Read more on Identity and access management products