Your Password Is No Good

The Password Model is Broken

The time-honored username/password model no longer works very well.  The fact is that people have trouble with passwords.  As a result, they make it easy for the bad guys to compromise their passwords and get access to things to which they should not have access.

Why are passwords bad?  Let me count the ways:

1. People have a hard time remembering strong passwords
2. They make passwords simple and easy to remember
3. They use the same password on every site so they only have to remember a few passwords
4. They don’t know how to make strong passwords they can remember
5. They write them down and leave them laying around
6. They don’t write them down so they forget them if they don’t use them often
7. Resetting passwords is a hassle for the user and the support people

Worst Passwords Ever

The following is the list of worst passwords for 2015, courtesy of the Huffington Post:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 1234567890
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. Monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

How to Improve Your Passwords

Strong passwords aren’t difficult to come up with.  Using nonsense words and replacing some letters with numbers or punctuation marks can be effective in creating passwords that are strong and are relatively easy to remember.  In general, the rules to follow are:

1. Don’t use words found in the dictionary
2. Don’t use names of children, pets, parents, etc.
3. Make the password at least 10 characters and preferably more
4. Don’t use obvious substitutions in real words, e.g. secur1ty, or secur!ty
5. Don’t use the same password on multiple sites
6. If you have too many passwords to remember, use a password manager
7. Let the password manager generate strong passwords for you
8. When you have the option, don’t rely on passwords alone (see below)
9. Be especially careful with important accounts, like banks, PayPal, Google, etc.
10. Don’t write your passwords down. If you have to do that to remember them, see #6 above

Single Point of Failure

The classic password system is what’s called a “Single Point of Failure”.

Imagine that your bank kept its vault outside the building where anyone walking by could get at it.  Further imagine that the only thing keeping the bad guys out of the vault was a combination lock.  No security guards, no cameras nor anything else to keep anybody from twirling the lock on the off chance that they’d guess the combination.

Websites online are in pretty much that same position.  The contents may not be quite as valuable as those of a bank’s vault, but there are more reasons to break into a website than stealing the contents.  That’s a discussion for another time.  Suffice to say that the bad guys have plenty of reasons to break into any website, even yours.

Similarly, your important online accounts are equally vulnerable.  Your PayPal account, your Google account and other accounts containing financial or personal data are sitting out there on the virtual curb protected in many cases only by a username and a password.

Threats to Website Security

Brute force attacks have become extremely commonplace.  A brute force attack is where a bad guy or robot controlled by a bad guy tries multiple times to guess your username and password.  These attacks aren’t very sophisticated and a service like PayPal or Google will have measures in place to thwart them by limiting the number of attempts to a very small number, asking security questions and other methods designed to make sure the visitor is human and qualified to access the site.

The real danger is when a site gets hacked and the bad guys pull a list of usernames and passwords from their database.  Now, it’s no longer a brute force attack.  It only takes one try on that site for the bad guys to log in to your account and do whatever they want with it.

In addition, having a list of known username and password combinations gives the bad guys a more sophisticated weapon than the basic brute force attack.  They can run through the list of usernames and passwords and try each one to see if it works.  Because many people use the same username and password on many sites, this approach can be very fruitful for the bad guys.

As mentioned, Google will ask security questions if the login is from a machine they’re not familiar with.  That’s well and good and is a decent backup in case someone somehow gets your username and password.  However, it’s not 100% reliable as Google doesn’t always know that the login is suspicious.

And then there’s the possibility that someone gets access to your computer or other device and tries to log in to your Google or PayPal account.  If they know your username and password, Google is going to allow the login because your machine is known to them.

So, how do you safeguard your accounts from situations like these?  Two-factor authentication.

What Is Two-Factor Authentication?

Two-factor authentication adds another layer of security to your username and password.  After entering your username and password, you are presented with another form requesting a (usually) 6-digit code.  In order to enter the correct 6-digit code, you have an app or device that generates new 6-digit codes every minute or so.  This can be a dedicated device called a “token” or your smartphone with a special app for this purpose, e.g. Google Authenticator.   In some cases, a text message containing the code is sent to your phone.

The generated codes  appear to be random even though they are not truly random.  In order for the system to work, the login process needs to know what the code is going to be so the token or app is synchronized with the account when you set up the two-factor authentication.

In the case of the text message, the system knows what code it just sent you so it can be completely random.  In all cases, you have a limited amount of time to enter the number before the system tiems out and you have to start the process over again.

When I worked as a contractor at a pharmaceutical company a few years ago, I was issued a security token to be used whenever I had to log in to the network from outside, i.e. from home or a remote office.  It took a few minutes to set it up when I first received it and thereafter it was synchronized to my login credentials.

Every time I logged in from outside the network, I had to have my token with me so that I could look at it and see what code was showing at that moment.  The system asked for my email address, password and that code.  It took a little time to get used to it as the code changed every minute and it wasn’t uncommon to be in the middle of typing the code as it changed to a new code.  We got to where we watched the little flashing indicator that told us how much time was left before the code changed again.  If the code was about to change, we’d just wait for the new one to be generated.

The most annoying thing about it was having to keep the token with me at all times.  I was pretty good about it, but there was at least one occasion where I left it at home on the dresser and had to call my wife to read the code to me as I logged in!

Today, those tokens still exist, but there are smartphone apps that do the same thing.  We all have our phones with us virtually always, so it’s not as likely that we’ll be without it when needing to log in.  Fortunately, PayPal and Google and others have alternate ways to handle it if you don’t happen to have your phone with you, but it’s still best to keep your phone handy.

So, How Does It Work?

In most cases, you are presented with the usual login screen.  You enter your username and password and click the button.  You are then presented with another screen with an input field requesting the 6-digit code.  PayPal’s screen looks like this:

Within 30-60 seconds after this screen appears, a text message is received on my phone.  The message contains a 6-digit code which expires after 5 minutes.  Once I enter that code in the screen and click “Continue”, the login process completes and I’m in my PayPal account.

Of course, the Internet being what it is, there isn’t one solution for every situation.  There are a number of applications that do essentially the same thing.  Google and Stripe (a payment processing service) both use the Google Authenticator app.  The Google Authenticator is essentially a security token on your phone.  When you log in to an associated site, you’re asked to enter the current code, a 6-digit number that has been generated by Google Authenticator.  Stripe’s implementation looks like this:

At this point, I must log in to my phone, start up the Google Authenticator app and enter the number shown there into the screen above.  The phone app looks like this:

Each number shown above is for a different website.  The second line is for Stripe.  The blue circles to the right of each number indicate the amount of time left before the numbers expire and change to a new set of numbers.  Imagine a second hand that turns the circle black as it goes around.  In the image above, there’s nearly a full minute left before the numbers change.

Entering the code shown into the login dialog allows the login process to complete.

Is It Foolproof?

Of course not.  Nothing is foolproof.  There are problems with two-factor authentication just as there are problems with every other authentication scheme out there.  The good news is that two-factor authentication makes it much more difficult for someone to break in to a protected account even if they somehow get your password.

Two-factor authentication adds another layer of security and makes it difficult enough that not many bad guys are going to go to the trouble to try to break it.  If your service provider offers the option to enable two-factor authentication, I recommend you seriously consider it.

The Best of Both Worlds?

A new scheme is beginning to be used more often for applications where ironclad security isn’t necessary, e.g. logging in to web sites and other similar applications.  For banking and other types of sites containing sensitive data, two-factor authentication, or something similar is still required.

For the average application, however, eliminating passwords is becoming more prevalent.  How do you eliminate passwords and still maintain a reasonable degree of security?  By utilizing an existing secure service the user is already using.  Your email account is a good example, assuming you’ve used a strong password to protect your email account!

Here’s how it works…

1. The user enters their email address in the login screen and clicks the button
2. The system checks to see if the email address exists in the system
3. If the email is registered in the system, the system sends a link to that email address
4. The user clicks on the link in the email
5. The system verifies that the link matches the user’s profile and logs the user into the system.

While it’s very simple from the user’s point of view, there are checks and verifications going on behind the scenes.  It’s relatively simple on the back end, as well, because this approach eliminates things like password resets, password encryption/decryption, password verification, etc.

You’re going to be seeing more and more of these “password-less” logins as time goes on.  The benefits to the system developer, the support team and the user are too great for this not to catch on for non-critical applications.

John Sawyer

Laptop login image by vectorolie on FreeDigitalPhotos.net