Password are broken

I thought I would put something together about a recent post I saw on reddit about password rules being broken. You can find this article. Though I agree that passwords rules are broken for the reason mentioned there. I also consider passwords to be broken for many more reasons. From my point of view what we have is 100,000's of websites all doing the same account creation process and all suffer from the same common problem.

Most website currently use password rules which have been generated because people pick poor passwords. Or more than likely many accounts have been compromised on a web site due to poor passwords. So every website simply does more of the same and creates stupid rules. However if you take a step back and consider for a minute what pressures we are actually pushing onto the end users of software. Websites and application are demanding that everyone has an account this means that we are expecting users to remember multiple passwords may by as many as 20-30. The security community then blames people when they are unable to comply with this and will use the same password for multiple sites or applications. This of course is basically impossible for the average user to comply with but it is forced on them so they will ignore any best practices and will take this action anyway.

So we all know that many people will use duplicate passwords. This of course creates a second problem when a duplicate password is used on many sites. If one of these sites is compromised then the passwords are leaked onto the darker side of the internet often not encrypted or not encrypted with a weak encryption that can be broken. These user details are then tried again many account on major site / services to use and abuse. This actually makes any complex form of password rules completely useless.

Broken Solutions

To prevent the brute force attacks on web services it often common that a captcha is used. Anyone who has been using the internet for any period of time has of course seen these at some point during login, account creation or even during certain functions of a website application. Yet again this is a solution pushing things onto an end user.

Some of the less recent solutions to these problem involve things like "security questions". Of course security questions like "Whats your mother maiden name" is an absolute security nightmare. Often this information is publicly available or may just be known to people close by who may want to try to mess up your life for example a recent ex-husband or ex-wife. Often this information is also leaked onto the internet as well with the password.

Some of the more recent solutions to this is to do things like 2 factor authentication. Which is when logging into a website their server will send you a code by email or text message. Of course email isn't the best option here because often people use the same password. If we are doing this though why do we even still need passwords at all? There are other serious issues with it as well. For example that happens if you don't have a mobile phone, phone is outside of reception range or don't want to hand your personal mobile phone number over to a company you work for. I should also mention that this solution again is pushing the work onto the end user and making the problem theirs.

Untried broken solutions

Some people think password manager are the solution. I have used a few of these. I even run into problems with them often because I tend to move between machines between work, home, mobile phone and password managers that run for one platform don't work for another. They also have a really bad time keeping the passwords in sync.

Another broken solution that people have been suggesting is to use a finger print scanner. Which I think is a terrible idea as anyone everywhere they go leaves copies of their password behind. We then also would have our finger print signatures stored in databases across the world which already have a terrible history of keeping personal information secure. Not to mention that everyone would have to have a finger print reader with them wherever they go. Except for the attackers of course since they would just use the signature information that was stolen from the database. The real major issue here of course is that this is a password that cannot be changed.

Almost solutions

Its now not uncommon to be able to setup accounts on websites using other website login details such as Facebook, Google. This has the massive added benefit that it cuts down the number of security details that have to be remembered. However we cannot really be having our Facebook login used to also access our banking details and we also cannot have a single entity in control of the internet for these sorts of applications. So again we are still back to managing multiple passwords.

A possible solution

We already have the actual technology to be able to remove passwords completely. Unfortunately it just isn't organised in the correct way for website to be able to work with it correctly. I am of course talking about private / public key authentication which is commonly used by software developers and system admin people around the world. The web of course has no support for it.

Something that was added a long time ago to bowers of course was in SSL/TLS was this feature but it has been really used. It is extremely awkward for end users and it has the same problems when moving between devices.

Personally I think we need an open protocol added to web browsers so that they can authenticate with websites better and in such a way that the website can challenge the end user any time it wants. This of course has to be done in such a way that it will work for anyone on any system this of course is the really hard part to meet. Since we need to do this in such a way that no company has control of the end solution's.

How can it work.

We need web browser support for the following

To be able to create a public / private key pair. Where it can either be stored locally, remotely or performed on a hardware device like a USB dongle.

Be able to provide a public key to a website when creating an account

Be able to provide a public key to a website during password recovery / migration process.

Be able to support multiple private / public key pairs. Or even unique sets per website.

Be able to provide secure backup's of these keys.

Be able to mangle local, remote, hardware keys concurrently.

The browser must be able to then handle a challenge request from the server to be able to prove it has the private key.

The really cool thing about using a process like this correctly is that the password is never stored on the website. So even if a website leaks its data nothing will actually happen. The attackers only get a copy of your "public" key which to them will be completely useless.

One of the problems here is that storing keys inside the browser or remotely can also be insecure. But it is only mentioned at a gap solution to a real hardware version which is really where things get somewhat interesting. If implemented correctly it is possible to have a USB device where it is impossible for a system to even read the private key. The USB device simply can create, delete and handle challenge requests for the browser. This of course means it is even impossible for malware or being able login from a non trusted machine which cannot steal your keys.

Obviously this is a very very high level overview of how a system like this should work. But we defiantly need to be moving in some direction other than passwords. They simply do not work for website providers and they certainly don't work for end users. Yet here we are plodding along with passwords after 20-30+ years.

Personally I think

Users should be demanding better security / usability.

Companies should be providing it.

The security community should be shouting for it.

What we have is not good enough.