This whitepaper is part of a three-part installment covering a wide breadth of topics on passwords, security, next-generation, and plenty more. In this installment, we close the series with a look at the psychology of authentication itself, the latest generation of authentication, and modern applications. If you haven't read the first two installments, the links are; Passwords vs. Pass Phrases - An Ideological Divide and Passwords vs. Pass Phrases – Weaknesses Beyond the Password.
At the start of this series, we looked at several factors that weaken password-based authentication security, namely on the side of the end-user. The concept of a password in and of itself is inherently flawed, and many of the surrounding security or enforcement strategies are equally flawed and antiquated. By forcing this behavior on end users, content providers instill insecure authentication concepts in them, reinforced by the problem of a password itself. In the second article, we explored that problem, reviewing how the ideology of a password is insecure, due to closing the end-user's focus on a poor concept. We continued on to exemplify how a simple restructuring of the password concept into pass phrases has a potentially revolutionary effect, most especially in web application security. There are, however, those who have radically different ideas, and this article focuses on those and their potential applications.
Indeed, as we mentioned in the last article, "password-based authentication need not be such an archaic pillar of security any longer." The concept of a prompt-and-response authentication mechanism has been in existence since the Hellenistic Period, approximately 200 B.C., where Roman soldiers employed the use of watchwords – a memorized word repeated to an authenticator to prove identity. The general concept remained the same for millennia, including its first use in computing with the 1961 Massachusetts Institute of Technology Compatible Time-Sharing System (MIT CTSS). As one of the first time sharing computational systems, users of the system had authentication mechanisms to differentiate and privatize each point of entry terminal, capable even of accommodating multiple researchers at once. Fast forward to today, and over 50 years later we have experienced the most unfathomable, unimaginable rapid evolution of technology – exploding from unaffordable and disconnected-from-the-world personal computers to a wireless, always-communicating computer in everyone's pocket in just 10 short years. And yet we still use the same authentication concept that has not changed since Polybius scribed about it in 150 B.C. and MIT implemented it in the CTSS (Compatible Time Sharing Systems).
Comfort Zone: Why We Use Ancient Concepts in a Modern Era
The concept of a password has indeed been around for millennia, but in terms of computing, the concept has remained relatively unchanged since authentication was first implemented and required in computing structures. We still focus on simplistic concepts of authentication – a piece of (sometimes) public data, and a piece of private data, commonly in the form of a username and password combination – which have remained stable and constant since the 1961 MIT CTSS. For quite some time now it has been a long-standing joke as to why maximum password length exists, especially to this day. And, as is is part of the joke, no one really knows why anyone still enforces maximum length beyond the disappointing but often default answer: "It just has always been this way." Such is seemingly the concept for username and password authentication itself. It just always has been this way, why change anything?
Much in life stays the same for long periods. For millennia, society operated in nearly all facets of living very lackadaisically and without regard to improvement. It sometimes takes decades or even centuries for a way of life to change from the norm. "It's always been this way" seems to be the common retort through time. But we now live in an enlightened society of rich culture and liberties; of information zipping through the skies and giant fiber cables under the oceans; of a connected society where wireless internet devices outnumber their human users; of a time where new, revolutionary ideas are borne of brilliant minds, are fostered and explode into fortunes, and die all in less than a decade. Thus, as we evolve from exceedingly limited connectivity to the most connected society in just 20 short years, so too do our technologies that propel us at near-immeasurable speed: cumbersome landlines to only cell phones, dialup to nationwide broadband, MySpace to Facebook to Twitter and all the social media in between. We as a now rapidly and digitally evolving society must continue the trend of eschewing what "has always been this way," and prepare for the evolution of web and other authentication mechanisms.
We Just Discussed Pass Phrases, What Happened to That?
Of course, passphrases are an incredible and delightfully simple step up in the evolution of authentication mechanisms – a concept we detail extensively and, of course, still support in the first installment of this series. The concept of an obfuscated jumble of letters, numbers, and sometimes special characters in a non-sentence or phrase-like structure leads to very limited and measurably weak password security. "In order to memorize this ideology of minimum 8 and maximum 32 characters, I have to make a jumbled mess that I can remember," is often the train of thought that rushes through an end-user's mind. This concept yields passwords so weakened, their content can be cracked remarkably easily and swiftly in offline compromised password database cracks.
The use of a passphrase in lieu of a password is still of course a quite highly recommended solution, but only for as long as a username/password authentication combination remains. Eventually, a newer, more permanent solution will need to replace this protocol. Indeed, it is remarkable that the concept of a password has stuck around for so long, especially in the oceanic ether of highly dynamic and ever changing web trends. The concept of a password has gone relatively unchanged, save for some additional length requirements, even in spite of the unending flow of compromises that occur and the enormous losses they yield all due at least in part to password-based authentication.
Some estimates that claim over ten million debit and credit card numbers are involved in mass compromises every year, resulting in tens of billions of dollars lost due to fraud. (We visit this topic extensively in our PCI Compliance article series.) A surprisingly large amount of this is the result of compromised financial data via online services, quite often due to a compromise of password database hashes. Some password hash brute forcing software has the potential to yield several thousand user passwords an hour on some of the largest password hash dumps – over ten million cryptographic password hashes compromised from Comcast, Yahoo!, and AOL just this year alone. Among multi-website authentication internet users, the majority use the same password across multiple websites. This has been observed from the passwords cracked and successfully attempted on other websites by black-hat hackers during Pastebin'ed database compromises, like RockYou, where thirty million accounts were compromised with all passwords stored in plaintext – no cryptographic hashing whatsoever. If just a small percentage of those compromised accounts use the same passwords for their PayPal or online banking logins, that still may result in hundreds of thousands, if not millions, in potential loss to fraud.
This all stems as a result of the fact that password hashing, regardless of whether using passwords or passphrases, are still only one-way cryptographic hashing algorithms. There was once a time not at all long ago when it was still believed that fast cryptographic hashing algorithms -- MD5, SHA1, etc. -- were impenetrable enough and reasonably secure for the foreseeable future. That quickly changed with newer technology and the speed in which modern graphical processing units (GPUs) chug through linear algebra. With this almost absurd and astronomical rate of technology evolution over the past ten years, it stands to reason that even if we utilize some new, strong cryptographic hashing function with 20-plus character passphrases, it could be very soon that technology advances with the capability to crack it in mere hours. This has become a near axiom of the cryptographic world: the world of password cracking is catching up to the world of cryptography at a frightening and alarming rate. This is because all a computer has to do is successfully guess the contents of a password hash. There is no data encoding and decoding procedure, no two-way handshake, or any real security mechanism for password hashing. For something as indescribably crucial as account authentication mechanisms – something that should receive the utmost attention and scrutiny on security but sadly often does not – we utilize a remarkably weak and archaic system to protect sometimes the most confidential of data, all because of bad psychology.
Passwords: Satisfaction from Pseudo-Security
Psychology is defined as the study of mental functions and behaviors, but some have mused it is more a practice, perhaps an obsession ;) , of defining and naming each function and behavior. The study of the mind is indeed mysterious in attempting to make sense of the wild phenomena that does not fit comfortable rationality or logic. Through nearly every walk of life, humans perform acts of cognitive bias – actions or ways of thought that inhibit us from making rational and logic-driven decisions. In some cases, such as instinctual behavior, it may in fact have life saving benefits. However, bias often drives a person to operate in a subjective way they often know is illogical, but do so regardless due to functionality heuristics, social influence, or immediate gratification. In terms of password-based authentication, one could argue that would be the direct influence to utilize allowably weak passwords (and the concept of a password altogether), commonality of a password authentication mechanism across all online authentication portals, and utilizing a cheaply memorizable passwords we know are weak at the cost of immediately bypassing the login restriction.
For over a decade and through the largest, most explosive growth in web systems, we have known our passwords are weak. In 2006, a study of students showed many used insecure passwords despite knowing the security risks, only to have the ease of memorization. As the study summarizes, many users employed the use of weak passwords, consisting of "lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure." In fact, passwords in general are largely psychological in nature. Going further back, in 2002 a British psychologist, Dr. Helen Petrie, proclaimed passwords reveal largely psychological information about the user – childhood nicknames or pet names, familial information, and symbolic events headline the list. Even to this day we hypothesize psychological reward systems for password security. And, indeed, a simple scan of the contents of the RockYou database, and other brute-forced password hash compromises, shows these habits to still be true, over a decade later. But the reality is that password-style authentication's value lies solely in its psychology, not its security.
In 2010, two computer security researchers at Cambridge University – Joseph Bonneau and Sören Preibusch – released a study after analyzing over 150 news, e-commerce, social networking, and various other websites, all offering free accounts utilizing password-based authentication systems. In their study, they, too, suggest that many websites utilize passwords "primarily for psychological reasons." They refer to the two primary purposes of such an authentication schema. First, that the data collection and requirements process during enrollment are largely just to procure "marketing data," a now normalized psychological transaction we perform as a sort of digital barter for 'free' information trade – you get content, advertisers get to learn about you, data for data. Additionally and most definitively, however, they speculate that password systems exist largely as a "way to build trusted relationships" with end users. However, they also suggest attempts to replace password authentication systems with more secure and modern mechanisms may fail because they do not reproduce the "entrenched ritual" of password-based authentication mechanisms.
There are indeed those who believe passwords are ultimately an invariable and solidified mechanism of authentication, an unbreakable pillar of e-society. Even Microsoft acknowledged recently that weak passwords are a measurably acceptable risk if the account it protects yields low-value data (e.g. a website like RockYou where only social media game scores are stored, as opposed to an online bank account). But these are absurd notions … mostly. Of course, Slate's Will Oremus is unarguably correct in some of his observations—the affordability of privacy and anonymity with a username/password authentication system is critical, especially in light of recent privacy concerns over spying and more; and the fact that password authentication will never truly die. But using weak passwords where the risk is "acceptable" is a very bad judgment call. By whose measure is the risk acceptable? How do you proactively teach and ingrain into users the understanding of this acceptable risk and what a reasonable threshold is? What happens if that "acceptable risk" website later decides to expand and house higher value private data? These questions are minimally and ineffectively answered, if at all, and – this is the most crucial part – its success all rests squarely on the effectiveness of end-users not using the same password on multiple websites, a problem that has persisted for decades, if not since the dawn of online authentication systems. And with events like the recent Russian compromise of over one billion passwords, the likelihood of compromising a critical account due to a weak password used elsewhere grows exponentially larger literally every day.
Regardless, Bonneau and Preibusch are perhaps quite right in a number of their observations, specifically the trusted relationship built by the psychologically entrenched ritual of username and password authentication still held onto firmly by its actors and participants – the web and other systems that employ them, and the end users who happily participate. The user provides personal, fiscally valuable data in exchange for 'exclusivity' or niche service, solidifying the consummation of the accord between the two parties by an authentication schema. One could reasonably assume any authentication system—password-based or otherwise—would yield the same or similar trusted bond between content provider and end user, but as also wisely speculated, newer and more secure authentication systems will meet heavy resistance. In fact, some data suggests habit and belief are often doubled-down upon when challenged with better alternatives—even alternatives with considerable evidentiary support to the contrary of the held belief—which in and of itself would suggest considerable potential resistance to new authentication mechanisms. Users have held so firmly onto this method for such a very long time, so to upset the foundation of their psychologically entrenched ritual seems implausible. But, surprisingly, it is not implausible at all. That resistance has already been met and bested by many remarkable and new technologies. The aforementioned Cambridge study was released in 2010, and in just the four short years since we have witnessed some radical changes in authentication.
If Not Passwords, Then What Shall We Use?
As we mentioned at the start, wireless devices currently outnumber living human beings. In fact, one estimate claims by 2020 wireless devices will outnumber humans six to one – encroaching 25 billion connected devices. It is highly probable that nearly every human whom holds some form of an account somewhere that utilizes an authentication system – likely, of course, password-based – also possesses a wireless device, most likely a cellular phone. These devices offer an additional layer to authentication systems, a mechanism often referred to as two-factor or multi-factor authentication. In standard password-style authentication, the action performed is a one-factor authentication – you providing your username and password is the only asset utilized. A two-factor authentication system continues this process by confirming this authentication (first factor), then looking up your second authentication system (second factor, and in many cases a cell phone or security token dongle) and challenging the user for a code produced exclusively by that device. The concept behind two-factor authentication is that only you, the actual owner of the account, should be in possession of that second asset. Assuming the sanctity of all secret data – such as those assets' private keys – is retained, the system is purportedly impenetrable. This additional method on top of password-based authentication has long been employed in many high-risk applications, such as government applications, online banking, and recently even online gaming.
The idea was a novel concept back in 2006, but eight years later has become a commonplace addition to online banking. As far back as 2003, RSA implemented the use of two-factor authentication with its SecurID dongle, a token system used largely in governments and large corporate environments. The SecurID system, however, did fall victim to a social engineering attack in 2011. Even the massively popular online game World of Warcraft has employed the use of two-factor authentication for over four years. Unfortunately, Blizzard's Battle.net two-factor authentication system has also met its own difficulties from a carefully crafted trojan virus. Many other corporations have utilized two-factor authentication, such as Google and many banking institutions, both of which have also been met with problems, as well.
These failures are important to note because they highlight that even better, two-factor authentication solutions are not a perfect solution. Even so, the banking industry has noticed a significant drop in online banking fraudulent activity with the implementation of two-factor authentication. Yahoo!, learning from its past compromises, has begun to heavily work with alternative open standard and decentralized authentication protocols like OAuth and OpenID, which has resulted in a measurably stronger security posture for the company and, of course, other organizations that utilize these API technologies. More and more types of systems come into existence each year and reduce the exclusive reliability on passwords alone. However, all these technologies require a cognitive challenge-and-response activity from the user, and although biometric systems have existed for decades, only within the past year or two have they truly made their way into commonplace authentication technologies.
Originally, IBM made headlines well over a decade ago with the fingerprint reader built into their ThinkPad laptop series. However, these were usually not popular outside, again, government and large corporate environments. More recently and, of course, far more famously, the Apple iPhone 5S and the Samsung Galaxy S5 have exploded the field of biometrics authentication into everyday life when they implemented fingerprint readers in their cell phone technology. (Of course, both the iPhone 5S and the Galaxy S5 have almost immediately been bested by clever hacks and other methods of circumvention.) And now the godfather institution of the Internet and many other unarguably badass technologies of the world, the Defense Advanced Research Projects Agency (DARPA), has jumped again into the game with their 'Active Authentication' program. DARPA, in partnership with many research institutions, is turning various biometrics and behaviors into authentication mechanisms, such as hand gestures, predictable behavior patterns, even our language and grammatical choices – all these and more are potential authentication portals years or less down the road.
As for now, though, it seems that two-factor authentication (with cellular phone two-factor currently being the choice du jour) has led the race for the eventual retirement of passwords, but with the help of biometrics and other innovative ideas, passwords are being nudged out even quicker. Indeed, it will not be long before the archaic notion of username and password in commonplace usage comes to an end not with a bang, but a fizzle, as modern and secure protocols slowly but surely take its place. It is impossible to say what protocol will become the ultimate victor, but one thing is certain: while it will never truly and entirely go away, password-based authentication will soon be a museum piece much like the Massachusetts Institute of Technology Compatible Time-Sharing System it all started on.