Death to the Password - Long Live the Password

The password is still alive

A few years ago, the media (see e.g. [1]) but also experts announced the death of passwords. Biometrics in all its facets (e.g. fingerprint, iris, palm veins, heart rate, voice) is just one example that was supposed to bring about its imminent death. Years later, even in the age of blockchain and cryptocurrencies, we still handle passwords on a daily basis. Little has changed in the situation: Every user has countless passwords. Sometimes at least 8 characters, sometimes a maximum of 8, sometimes with at least one number and one special character, sometimes guaranteed without special characters and sometimes without any specifications at all. It is almost impossible not to lose track. And so it comes as it must: Users use the same password wherever possible or vary it only slightly. For bad guys, it’s a real treat. It doesn’t help that, according to surveys, 98% of hackers don’t wear ski masks in front of their computers [2]. But what can the individual user do if the 20 accounts they feel they are using still crave a password? Let’s get this out of the way: Solutions for disempowering passwords are on the horizon, but are likely to take some time. It is therefore important to find practicable solutions to the current password chaos.

The account 1x1 for users

The following two basic rules can significantly reduce the risk of account misuse and even increase convenience for the user.

1. Use a separate, secure password for each service. No password recycling! No, really not! The use of a secure password safe (e.g. Keepass [3] or lastpass [4]) is strongly recommended from a certain number of accounts. It should also not be a problem to use automatically generated, strong passwords, as you are unlikely to be able to remember them and have to retrieve them from the safe each time. Multiple use of the same password, often in combination with your own email address as a username, opens the door for criminals to abuse other services of a user after a successful attack on one service. In 201, over 90,000 accounts and their passwords were stolen from Swiss internet services [5, z]. You can find out whether you yourself are affected by an online query at the Federal Reporting and Analysis Center (MELANI) [7]. Without password recycling, you can be much more relaxed about such account thefts, as only the specific account in question is affected and not many other personal accounts are suddenly at risk, which means you have to change your password every evening.

2. Wherever possible, use strong or 2-factor authentication (e.g. SMS/mTAN, OTP app, FIDO device such as YubiKey to further secure your account. This can significantly increase protection. Despite securing your account with an additional factor, it would be a mistake to assume that rule no. 1 is no longer relevant. Internet services are now increasingly offering the use of a trusted and secure identity provider (IdP) such as Google Microsoft or Facebook instead of a local account. This is a convenient way of reducing the number of accounts, although the IdP account used should always be secured by strong authentication. It is to be expected that the importance of identity providers will increase significantly in the future, as current national initiatives relating to eID, SwissID, SwissPass, etc. show.

Password yes - but secure!

Obviously, we will have to deal with passwords for some time to come. In addition to recycled passwords, weak passwords in particular pose a major security problem. If we look at the 20 most frequently used passwords in Switzerland, we see a list of horrors (as at 02.03.2018) [8]:

1. 123456
2. 123456789
3. 12345678
4. 1234
5. 12345
6. 111111
7. 1234567
8. hallo
9. abc123
10. password
11. qwertz
12. passwort
13. 1234567890
14. 666666
15. soleil
16. sommer
17. 123123
18. daniel
19. blabla
20. andrea

In addition, years and zip codes are apparently particularly popular in passwords in Switzerland. In particular, the numbers 12, 01, 11, 14, 13, 10, 99, 77, 69 and 22 seem to be popular with Swiss users.

Secure passwords should not only have at least 8 characters, but also a certain complexity. Words, names or keyboard patterns should be avoided wherever possible. By using a password safe, secure passwords can be created, managed and retrieved quickly and easily for every service used, including automatic filling into the login mask of the Internet services. There is therefore no need to remember countless secure passwords made up of a jumble of letters, numbers and special characters.

The human being as a weak point

It is obvious that it is not (only) passwords that are a problem, but above all the human component. Our handling of passwords has been a challenge for security specialists for years and motivates them to look for alternative procedures and solutions. Regular changes or minimum requirements in terms of complexity are just two examples that are intended to make passwords (supposedly) more secure. In practice, it has been shown that Post-it notes, for example, serve as a reminder to the user and that such password rules actually increase the risk of successful account misuse.

Be inspired by this article and change your password behavior today. Setting up a password safe only takes a few minutes, saves you having to click on countless “forgotten password” links and significantly improves account security.

Long live the universal, universally used, weak password - long live the secure, specific password and, whenever possible, in combination with strong authentication.

PS: Shortly before the GzD of this readme issue, c’t 07/18 dealt with the key topic “Forget passwords!”. It discusses further points on the secure handling of passwords and also puts 15 password managers to the test. Highly recommended reading! [9]

References

[1] https://www.tagesanzeiger.ch/digital/internet/Tod-dem-Passwort-/story/26979882 [2] http://www.der-postillon.com/2012/01/umfrage-98-prozent-aller-hacker-tragen.html [3] https://keepass.info [4] http://www.lastpass.com [5] https://www.ncsc.admin.ch/ncsc/de/home/aktuell/news/news-archiv/passwoerter-von-21000-e-mail-konten-im-umlauf.html [6] https://www.ncsc.admin.ch/ncsc/de/home/aktuell/news/news-archiv/passwoerter-von-70000-e-mail-konten-im-umlauf.html [7] checktool.ch - Not available anymore [8] http://www.swissleak.ch [9] c’t magazin für computer technik, issue 07/18 from 17.03.2018, Heise Zeitschriften Verlag, https://goo.gl/rSS9Eg

Note: This article was also published in the magazine Alumni Readme published.

Risk Management Strong Authentication

About the author

About the author

Adrian Bachmann is an experienced security expert and risk manager. He advises his clients primarily in the key areas of identity and access management (IAM), authentication, federation, risk management and internal control systems (ICS). He is also a recognised security architect.

Adrian Bachmann, Partner, Managing Director