Passwords are The Most Secure Authentication Method

Introduction

I am sure the title drew you in a bit.  It does go quite contrary to a majority of security experts out there, and I would like to clarify my feelings about it.  Don’t worry, they are not entirely wrong.  I am, however, willing to stand against them for this one topic.  First, when I say passwords, I really am referring to the “Something you know” method of authentication, and not just passwords.  The distinction is very important to make, as it is not just passwords that are very effective, but all forms of Something you Know authentication.

I should also be more specific in my statement so that when I explain it, you might understand better.   Again, every security expert in the world is not wrong.  Great advances are continuing to be made daily, and with the way technology goes it could very well end up that this post will be obsolete by tomorrow.  However, I will hold that of the three authentication methods when used alone, something you know is the most difficult for a potential adversary to ascertain without trying to bypass the authentication method altogether. 

I guess a bit of information for those unfamiliar with methods of authentication, and what brought me to say this to begin with.  There are three types of authentication:  Something you know, Something you have, and Something you are.  Use of a single method constitutes 1-factor authentication.  An example would be using an iris scanner to log into a computer.  If you combine two methods you now have 2-factor authentication.  This would be the equivalent of putting a pin in after using your iris scanner to log in.  If you use some form of all three authentication methods, you now have 3-factor authentication.  This is if on top of the pin and iris scanner, you have to have a proximity card as well.

Something you Know:

This is the first method of authentication most people consider when looking at the three methods.  Any form of authentication which requires you to remember a set of information to regurgitate in order to prove your identity.  Unbelievably, your username is actually Something you Know in regards to authentication.  Other forms of Something you Know are:

  • Passwords
  • Security Questions (Mother’s Maiden Name, Favorite Color, Car Make)
  • Pins

Something you Have:

Something you Have is typically the second method people consider.  Cost wise, it is much cheaper than most Something you Are systems, and it compliments Something you Know quite well.  There is a good likelihood that you are familiar with this system as it is used in ATMs and card readers.  This method of authentication includes:

  • One Time Passwords
  • Tokens
  • Smart Cards
  • Magnetic strip cards (credit cards, or hotel keys)
  • A physical key (I have used one or two in older computers)
  • RFID
  • Any other physical item(s) which you hold.

Something you Are:

This method has been getting more and more use as costs lower and technology progresses.  This is also the major catalyst which is driving people who make the argument of which is better.  Something you Are is commonly referred to as biometric authentication, and includes any authentication which uses a physical or biological characteristic of the user to authenticate them.  An excellent example of this would be facial recognition used in the Xbox One.  Once you log in, you can set your account up with facial recognition.  All you need to do to log in is stand in front of the Xbox to log in.  Something you Are authentication includes the following:

  • Facial Recognition
  • Fingerprint Scanners
  • Hand Scanners
  • Iris Scanners
  • DNA Scanners
  • Voice Recognition
  • Vein Scanner

Where it all is Flawed:

Ok, now that the quick lesson is done.  I want to say that every single authentication method is flawed in some way.  Back doors exist.  By doing a quick Google search, you can find a plethora of methods to bypass passwords, biometrics and tokens.  We have to remember that at any time you allow an adversary physical access to a system, your authentication can more than likely be bypassed quite easily through vulnerabilities inherit in most systems.  Additionally, any time there is an insider threat, your authentication mechanism alone is not going to stop them as you already gave them access.

This is important to note, because most security experts make claims that passwords are vulnerable to rainbow tables, and man in the middle attacks (you can insert any number of attack here because there are a lot I don’t want to get into.)  There is, however, a caveat that most security experts do not point out, the same methods of attack can be used against any method of authentication.  I am also over simplifying what a hacker must do to get in.  Sometimes it takes a very complex mechanism to bypass security.  The point here is, it is possible.

Context:

                This is where I get into semantics to make sure that I am not hung for my blasphemous ideas.  I understand that passwords are constantly forgotten, and that people write them down.  I understand that people use their name as their password or more commonly “password” as their password.  I also know that most businesses have standardized usernames which bypasses any effective defense that would have as a method of deterrence.  The last point I have seen is that a password can be guessed if someone effectively knows the user and guesses over time.

Lost Passwords:

To counter, people forget passwords rather often and write them down to forget.  The moment someone does this, they change the authentication method.  It is no longer something you know, but something you are.  This makes it a moot point to my argument, as now that password which was written down falls under the flaws inherit in the Something you Have method of authentication.

Bad Passwords:

People are stupid; this is the most common defense security experts will use.  People will just make their password a keyboard walk (qwertyuiop[QWERTYUIOP{) or “Password”.  Ghadafi used “abc123” I think it was, regardless this is not a baseless argument.  If not configured properly, a password that is not complex enough is effectively useless.  In fact it is worse than useless because depending on your level of access, it could be very detrimental if someone gets through.  However, when configured properly, most systems prevent the use of weak passwords.  Windows Group Policy can require complex passwords.  Additionally, this is where training and random tests can keep your users on the right track.

Standardized Usernames:

This is where I have to concede.  The standardization of usernames is a necessary evil.  Organizations which are large would have substantial difficulty managing users with non-standardized usernames.  Unfortunately, because the usernames are typically standardized in a policy, and a person’s name is open information for the most part, this really removes standardized usernames from the authentication method altogether as anyone could get it.

Guessed Over Time:

Ok, as my last counter before I speak on the real advantage of passwords is that people can gather information and guess your password over time.  Most authentication systems have a lockout policy which locks an account out after a number of failed login attempts.  In Windows it is done through Group Policy, but assuming they are checking over time.  Passwords are required to be changed over a set period of time.  Again, in Windows, this is managed through group policy.  To an ineffectively designed or configured system, this is a very valid concern.  Additionally, for security questions, the information may have been given out to people through various open channels which would make them ineffective.

Advantage of Something you Know:

There is one major advantage of Something you Know which give me my stance.  They are in your mind.  They are not written anywhere, they are not located somewhere to be taken from you.  An adversary cannot walk up to you and just “take” your password without your consent.  Yes it can be guessed, but a sufficiently complex password would take years to guess, and as previously mentioned password change policies can make this approach ineffective.  Also, yes I concede that you can be tortured, but technically even then you could, if it meant enough to you, not divulge your password.  (Yes I watched a spy movie or two.)

Flaws in Something you Have:

I keep talking about the flaws inherit in Something you Have.  To be more specific I am talking that someone can obtain your object.  In some cases, it can even be recreated and cloned.  A credit card is an excellent example of this.  Identity theft is proof enough for that.  While it has been proven that RFID information can be “skimmed”, newer cards are not transmitting the required information to recreate an entire card with.

The point is, it can be taken.  You do not have to give it, and you do not have to give permission to use it.  If someone obtains your RFID card, they can log in.  If someone steals your key, they can unlock your computer.   If you are mugged, and your token is stolen, that doesn’t make you a bad user, just an unfortunate one.

Flaws in Something you Are:

As I mentioned before, I have seen the most push that Something you Know is useless from supporters of Something you Are.  I do not discount Something you Are, however I want to point out the dangers of using it.  I will go back to my Xbox One example earlier.  I found a flaw in that by accident, and Microsoft cannot fix this flaw as it is inherit in the idea of facial recognition.  I do not own an Xbox One, my twin does.  I however, could log into his account without a password because he had set up facial recognition.  Our faces look identical, so it is saw us as the same person.  This really confused the system when I set up my account on there with facial recognition.  We were forced to eventually remove my account because it would randomly choose one for him to log in depending on the lighting most likely.

Additionally, if I had a picture of him, and held the paper up to the screen, it might have let me in.  This flaw was recently found in iris scanners as well.  A sufficiently high quality scan of an eye could allow an adversary to get past an iris scan.  More importantly, this flaw opened up another point which I will get back to after a bit.  Fingerprint authentication is another good method which has been in use for a while, and it has been seen in laptops and other systems more and more lately.  Try cutting your thumb and using it.  At a Defcon conference, it was shown that fingerprint-scanning software could be fooled with dusting for fingerprints and recreating the fingerprint using a mold of the fingerprint.  Flawed enough if that stapler goes missing, you might be burning down the building when someone uses your account to do some bad stuff.

DNA scanning, Vein Scanning, and most any other biometric scanning technology might very well provide absolute authentication, if it wasn’t for another point I want to get back to now to just ruin someone’s day.  The iris scanning flaw had another scary factor.  The recreated iris wasn’t just a picture of someone’s eye.  It was recreated using data which was stored by the scanning software which it compared the eye against.  Now, at face value, this might be a massive amount of points, but recreated it represents your DNA, or your fingerprint, or your veins, or any other biometric data.

But WAIT!? Didn’t I say this is a flaw in every method of authentication and was discounted earlier in passwords?  Yes I did, but let’s consider for a moment what happens if your password hash is stolen?  You can change your password.  What if you are mugged and your token is stolen?  You can just get a new one.  Now let us extend this to biometrics.  What happens if your biometric data is stolen?  It is compromised, and it will ALWAYS be compromised.

In today’s world, we are all attempting to get ourselves out there to be seen.  To get more likes, to have more shares than the next person.  In the process, we have made several methods of biometrics useless.  The remaining methods are capable of being stolen just like a token can be.

Conclusion:

This brings me back to my point.  Something you know is not “old and useless”, it is quite strong, and may be the link that holds your security system in place after others fall.  When stacked up together with the other methods, Something you Know can hold its own quite well, and should not be discounted as a secure method of authentication.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s