There’s been a conversation about passwords. Are they strong? Are they secure? Is a 8-digit password enough or it is easy to bruteforce it? We’ve seen huge dumps of passwords lately and companies such as google try to get rid of the password authentication method by using usb keys etc.
Before I move on to the subject some core concepts here. A hash function (such as md5) is a function that takes an input and creates a certain output based entirely on the input. We expect from hash functions to be collision-resistant, ie we want to be hard for an attacker to find an X input so that hash_function(X)=hash_function(ORIGINAL_INPUT).
Another core concept is the two-factor authentication. This is quite simple, the user must have any two of the following three:
- Something he, and only he, knows (a password for example)
- Something he, and only he, has (a private key for example or his cellphone)
- Something he, and only he, is (mostly biometric things)
The final concept is public key cryptography which I mentioned before. The main problem with cryptography is the need of a secure channel to exchange encryption keys but if someone has a secure channel then why doesn’t he exchange the message in the first place? Cause there’s no such thing as a secure channel (well, there is but not for everyone). In order to solve this, Diffie and Hellman proposed public key cryptography. The concept is simple. Let’s assume that B wants to share some confidential info with A. A has used a function that created two outputs. The first one is the Public-Key of A (PKA) and the second is the private key of a (KA). PKA is public and it doesn’t matter who has it. B takes PKA, encrypts the message and mails it to A. The only way to decrypt the message is to use KA. KA is only available to A so A is the only one who can see the original message.
Back to the passwords and the authentication problem. Authentication is the most commonly attacked concept of computer security. Attackers either bypass it or authenticate as a legitimate user by guessing/bruteforcing/you-name-it the authentication process. So far, so good but in my opinion the problem does not lie in the passwords. There are two main problems here, the first one is users, the second is developers.
Starting by users, users need to be educated regarding security. There have been studies around from many sources regarding both password practices and educating the users. A normal user, which may be privileged, is an insider threat to any information system. My thoughts here are pretty straightforward. An ignorant user was, is and will always be a threat to any system. Such users are extremely dangerous when they are privileged. Such ignorance is a vulnerability and chances are that the system will get owned with a usb authentication as fast as it would with a password.
What if users are already trained and someone still dumps their passwords which are pretty complicated to guess and/or bruteforce? Developers need to be educated as well. Have you seen any of these dumps lately before their passwords where “unhashed”? Most of these dumps contained passwords hashed with insufficient functions with known huge collision and rainbow tables and even without a proper salt (salt is to concatenate the password with a string and hash the concatenated string). It is obvious that by using such functions, in case of a SQL Injection (replace SQLi with every single attack that breaches either confidentiality or integrity of the system) if a dump takes place you are in serious trouble.
As a conclusion, although I am not against using new methods such as hardware or two-factor authentication, security professionals have to make a security awareness campaign and train both users and developers because the problem does not lie in passwords but in the improper implementation of authentication mechanisms and improper passwords or bad practices.
/me iz out