“A false sense of security is the only kind there is.”
― Michael Meade
The guy seems so self-confident. He’s showing the “new gadget” proudly. “Look” he says, “I do not need of the PIN code anymore my finger is my password, look as it’s easy, I just pass my finger on the screen and I’m in. And if someone stole my iphone? Become useless, unless…”, he draw an arrogant smile on his face, “…unless someone will not cut off my finger…”.
He talk loudly, looking around to find confirmation that everyone around is paying attention to him. I do, well I simply act as if I do but honestly it’s not he’s word that catch my attention, neither the technology involved. Password must die. The Dead Sentence is already been issued and so text password will gone, in a way or another.
Goodbye character based password, long life to the new way: biometrics, geolocalization,anything and possible more. well honestly..F**** new way! Where’s the so-called security? ‘Cause honestly I do not see anything that will protect me more than what my character based password used to do.
Let’s start from the beginning. In it’s 2013 prediction Deloitte pointed out quite clearly that :
1. Our random passwords aren’t random
Humans can’t remember more than 7 numbers in their short time memory. Over a longer period, the average person can remember only 5 numbers. So what do we do? We cheat, and we use only a limited number of the 32 keys on the keyboard (interestingly, because we have trouble distinguishing them from each other).
So random passwords aren’t random at all: according to recent research, out of 6 million user-generated passwords, the 10 000 most common of them (that’s 0,16 per cent) would have given access to 98,1 percent of all accounts.
2. Although everybody knows you shouldn’t reuse passwords, we all do
The average user has 26 password-protected accounts — and anybody who uses cloud services routinely probably easily has double that amount of accounts. For those 26 accounts, users on average have 5 passwords:
Because of password re-use, a security breach on a less -secure gaming or social networking site can expose the password that protects a bank account. This is exactly what happened in a series of breaches in 2011 and 2012, and there are now websites where tens of millions of actual passwords can be accessed (Deloitte)
3. Passwords have become easier to crack thanks to crowdhacking
The best password cracking machines can crack any eight character password in 5,5 hours. And while those machines are too expensive for the average hacker, software to crowdhack passwords mean that hackers can simply team up in huge numbers to combine hundreds of slower machines to crack passwords much faster.
4. The shift to mobile will make passwords even weaker
Because the “special” keys on smart phones are so difficult to reach, it’s easier to just take the characters that you can access easily. On a PC, typing in a strong 10 character password takes about 4 to 5 seconds. On a smart phone with a keyboard, it can take up to 10 seconds. On a smart phone with just a touch screen, that shoots up to 30 seconds.
“Technology, Media & Telecommunications Predictions 2013 ” — Deloitte 2013
Let me add “We all know that password are not anymore secure”, so yes please give us another way to authenticate. But what a password is in the end? Well let’s try to define what a password is:
- It’s the “tool” I use to get in where nobody else
- It’s a easy to remember (how to use it) “tool”
- It’s a unique “tool” that should be “easy” for me to use and hard to “get/use” for the others
The “tool” could be indeed the password or the mechanism used to pass the information that act as the final password. If I use a character based password I may assume that is: known only by me (point one),easy to remember (point two) at least for me (I’m the author of the password itself), It’s unique (at least I think so) and easy for me but hard for others (at least I think so). Biometrics? pass the finger, point the eye to it, show your face to the camera,talk quietly to the microphone,just be yourself…etc..
But we’re human and in the case we’re discussing the character password are weak. Deloitte pointed out all true and agreeable points. We’re human after all and consequently we’re predictable. To use the words of Ronald H. Heiner in his “The Origin of Predictable Behavior”
Uncertainty generates Rules which are adapted only to likely or recurrent situations
Selection Processes do not simulate optimizing behavior
Weak selection processes may allow dysfunctional behavior to persist
Great uncertainty will cause rule governed behavior to be more predictable
Ronald H.Heiner — The Origin of Predictable Behavior
A character password is weak because:
- We tend to re-use the same passwords
- We cannot remember any random combination of letters,numbers, special characters (all the special characters) if the sequence is longer than 15 maybe 20 characters. Oh by the way “1amS0pR0ud0f;uTha1’lLc0m3H0m3” (I’m so proud of you that I’ll come home) is not by any chance random or strong…to use an old male sexist joke: “it’s not the measure but how you use it that really counts..”
So now we decided that was time to move on and get something more secure. Let me re-use the first sentence of this post:
“A false sense of security is the only kind there is.”
― Michael Meade
Why you think that biometric or 2FA (two factor authentication) or a combination of them would be more secure? Before going further in this read let me clarify a couple of points: I’m ABSOLUTELY convinced that yes characters password should be stop to be used sooner as possible and I fully support initiative like FIDO (http://fidoalliance.org/) nonetheless I think that in many cases we’re approaching the problem from a wrong (even agreeable) perspective.
A combination of authentication systems maybe based on biometrics and U2F may be seem a good point but…well..I’ve summarized a list of “well..but..” to help you out to figure by yourself the point:
- how many time you touch something that is not your UAF standard-compliant device with the same finger you’ use to authenticate?
- how many times you look inside a camera with or without your knowing what use will be done of that “image”?
- how many times your face or your voice is recorded
- how many times your simply leave your desk or your cubicle/office for a rush to the bathroom or even just for a coffee and your dongle is there? be honest…c’mon.
- how many times other information about you are recorded and you even do not know or remember?
No? you’re not in the list?
But you got such a passion for this “thing “ called Internet of Things don’t you? what’s in your list? Tesla car? Google contact lens?a wrist smart band?Nest Thermostat? oh oh wait a car that may record your voice to accept input from you, a contact lens that may record over some specific parameters and eventually your take a picture of a retina,a wrist band that measure and record many of your biometric information with the nice plus that may track your geo-movements and oh yes the thermostat that may know if you’re in the house or not….
The character password “war” approach is quite correct. It’s weak so must be removed but forget a real slight issue.
The human factor
exactly like for the character password the security behavior I’ll apply to my “new” authentication method will measure the resistance of this method to the potential threads. This means you should start to wear gloves? Okay don’t be paranoiac but take the point and stop thinking in a dichotomist way.
A password is a method of authentication not a security model. If you relay on it feeling confident that a “new” system is more secure than the older one simply “by definition” you’re completely wrong. It’s even worse ‘cause I see an always deeper separation between the method and the methodology.
We, the computer industry, seems to be focus on getting the most complex method of authentication, the “mother ship” of every authentication systems simply forgetting that in the end what make secure things are simple things like the end-user experience, the environment variable who must be considered when use the authentication system, etc.. am I going to switch back to contextual authentication? Nah not this time but it’s a good point if taken in the “password discussion”.
Internet of Things will produce, already is producing, a unbelievable number of potential entry points to your digital identity and consequently to your “inner” security. Underestimating this will only produce another set of weak “password” even weaker than the old ones.
Exactly as we’re doing with the FIDO alliance and other interesting projects that are producing standards and methodologies to build more secure way to authenticate and protect users we, the IT guys, should make an effort to engage our end-user and provide them the right “tools” that are: awareness,evaluation,information.
- awareness: any action (positive or negative) produce a reaction,sometimes tangible other time only potential. You’re human consequently predictable remember that and act consequently
- evaluation:anything is secure by design so do not expect it. evaluate the environment where you’re going to use the “password” and act consequently
- information:a “tool” is hard to use until someone will not teach you how to use properly. Every trainer knows that teach to someone that is relative to him/her is the hardest job. Do not assume people understand our “language” help them to understand using their “language”.
in a word?
security is an #habit