In Defense Of Passwords

Long live the password (as long as you use it correctly along with something else).

Over the past years, months, and weeks, industry has suffered from a surge of data breaches, which have leaked a wealth of user credentials onto the underground market (albeit, often hashed credentials). Some of the fallen victims include Adobe, Target, Michaels, and Home Depot. Even Google was not immune, though the leak reported last week of some 5 million username and password combinations consisted of mostly stale or older credentials that don't actually work.

The news isn’t good or surprising. The principal reason is fairly obvious: People still suck at using passwords!

If you follow these password database leaks, the top used passwords read like a list of bad practices. They include passwords that are too short or too common, and thus very easy to guess or crack. Totally irresponsible passwords like “password1,” “123456,” and “qwerty” still are horribly common. Furthermore, correlating password leaks has shown that people still tend to use the same password across different resources. All this is why many pundits have proclaimed that the password is dead.

You can easily see why one might say that. Security professionals have recommended the same password advice for decades, and yet no one seems to follow it. Furthermore, blackhat hackers appear to get their hands on our credentials as easily as a master thief swipes candy from a sleeping baby. All this suggests passwords don’t work, right?

Wrong! Rather than blaming the password, I think the whole password fiasco comes down to two problems: We’re blaming the wrong culprit, and we’re giving ourselves a pass to sacrifice security for laziness.

[Join Dark Reading Radio on Wednesday, Sept. 17, at 1:00 p.m. ET for a grown-up conversation about passwords with Cormac Herley of Microsoft Research.]

First, let’s talk about the actual culprit. Simply put, a password is a key. If you lose your house key through a hole in your pocket, do you blame the key when a burglar breaks into your house? The key was just doing its job. You should blame the hole in your pocket, or the inattention that allowed the key’s loss in the first place. Similarly, it’s absurd to blame passwords for data security problems. Rather, we should closely examine how hackers make off with huge troves of credentials in the first place.

The heart of the problem
In a large percentage of these credential leaks, attackers exploited a web application flaw called SQL injection to steal passwords from a website’s database. To me this is the core problem: the fact that the victim’s network, web app, or database security was so bad that attackers easily walked off with such sensitive data. We are blaming the key when we should be asking why we didn’t keep better track of it.

Although the real fault lies with how badly we protect our keys, it’s also true that some keys are stronger than others. These incidents have proven most people choose crappy passwords, but that doesn’t mean the whole idea of passwords is broken. Password security practices work! If you use long, complex passwords over 14 characters, and you use different passwords at each site, these password leaks wouldn’t affect you. If bad guys stole your password hash, they probably couldn’t crack it, and even if they did, it would only give them access to that one resource.

So why don’t people use good password practices? Simply put, until recently it was too hard to do. Humans aren’t good at making or remembering long, complex passwords, nor are they good at keeping track of them. However, that’s not an excuse today. Recently, password managers have become readily available and easy to use. They even work across multiple platforms. Though some argue password managers themselves become a weak point (all your eggs in one basket), it’s much less risky to hoard passwords in one encrypted file store than it is to use the same weak password everywhere.

In short, passwords aren’t broken; we just aren’t protecting them properly or using them right. Here’s how to fix the problem:

  • Plug the gaps that allow password databases to get stolen. Usually, it comes down to SQL injection and web application flaws. So focus on secure web development.
  • Standardize on a password manager so that you can actually follow good password practices.
  • Finally, and most importantly, the 21st century requires multi-factor authentication. No matter what you use to authenticate -- a key, password, token, picture, or biometric -- attackers can steal it. That’s why we need to use more than one token to authenticate. Passwords are a good option for one token, but you should supplement them with something else.

So I say, long live the password -- as long as you use it correctly along with something else. What do you think? Let me know in the comments.

Recommended Reading: