Password Authentication is Broken

Password Authentication, PIN-based and other Knowledge Factor authentication have numerous deficiencies. Unfortunately, many security systems are designed such that Authentication relies entirely on a Knowledge Factor.

Many "Security Experts" point out that weak passwords are the most common cause for system Exploits.

Almost every one agrees Password Authentication is Broken. The sheer number of Password Attacks in the last years shows it is at least not working. Perhaps it is all an implementation issue and perhaps it is the conflict between usability work with passwords and Password-composition Policy or perhaps it is the heuristic Attacks have gotten better.

A little about Passwords#

The password, then, functions like the key to a lock; anyone who has it can get in. This means the password can easily become the weak link in a company’s network security plan, because passwords can be "cracked," guessed, stolen or deliberately shared.

The "Security Experts" but the burden on the user saying "It is important for individual users to safeguard their passwords Best Practices Password and for Organizational Entity to develop a Password Policy that mandate that such practices be followed.

Precise Recall#

The main weakness of knowledge Factor authentication is that it relies on precise recall of the Credential information. If the user makes a small error in entering the Credential, the authentication fails. Unfortunately, precise recall is a Human Limitation. People are much better at imprecise recall, particularly in recognition of previously experienced stimuli.

This Human Limitation of precise recall is in direct conflict with the requirements of strong passwords. Many Password Statistics show that people pick easy to guess passwords. Furthermore, they found that 85% of all passwords could be trivially broken through a simple exhaustive search to find short passwords and by using a dictionary to find longer ones.

By enforcing Password Policy required users need to create unpredictable passwords, which are more difficult to memorize. As a result, users often write their passwords down and hide them close to their work space. These strict Password-composition Policy, such as forcing users to change passwords periodically, only increase the number of users who write them down to aid memorability.

As companies try to increase the security of their IT infrastructure, the number of password protected areas is growing. Simultaneously, the number of Websites which require a username and password combination is also increasing. To cope with this, users employ similar or identical passwords for different purposes, which reduces the security of the password to that of the weakest link.

Most Proposed Solutions Fail#

The majority of solutions to the problems of weak passwords fall into three main categories:
  • The first types of solutions are proactive security measures that aim to identify weak passwords before they are broken by constantly running a password cracking programs
  • The second type of solution is also technical in nature, which utilizes techniques to increase the computational overhead of cracking passwords
  • The third class of solutions involves user training and education to raise security awareness and establishing security guidelines and Password-composition Policy for users to follow.
All three classes of solutions do not remedy the main cause of password insecurity, which is the Human Limitation of for Precise Recall of Credentials.

Password Vaults#

Password Vaults are also a proposed solution where the user only needs one credential to open the Password Vault. The Password Vault Application can then, in at least a lot of cases, provide a "Strong" credential for use at the website.

However, the Password Vaults are a Password Anti-Pattern where the password is now a Shared Secret with yet another party which increases the vulnerability and the points that attacker may exploit

And that is why we see these type of Password Statistics

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-15) was last changed on 10-Apr-2017 14:26 by jim