The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams. – After much debate and analysis … there is the thesis
This topic came up for me last year as I was working through some large amorphous business processes. The question of credentials was raised, and we challenged it. This is interesting as we had some pretty serious brains in the room from the house of auditing, security, risk, and business leaders. I am sharing my thoughts here to seek input and additional alternate perspectives – seeking more ‘serious brains’.
I will update as feedback comes in … this and other posts will serve as workspaces to share the analysis and perspectives to consider. I am breaking this topic across different posts to allow for edits and pointed (critical perhaps) feedback on a topic basis. This is LIVE research, so understand impressions today may change tomorrow based on information and insight. Looking forward to collaborating, and with that … lets jump right in!
————————————————————————
Passwords are designed to restrict access by establishing confirmation that the entity accessing the system is in-fact authorized. This is achieved by authenticating that user. Passwords / pass phrases have been the ready steady tool. The challenges to this once golden child cross the entire sphere, and I’ll be seeking your collaboration through the journey up to my RSA presentation in SFO at the end of February 2013!
- False premise one – Passwords are good because they cannot be cracked
- False premise two – Password strength should transcend devices – mobile, tablets (iPad, surface)
- False premise three – Password control objectives are disassociated from the origination and intent
FALSE PREMISE ONE: (Updated Jan.31.2013)
- Passwords are great because they are difficult to break?
The idea here is that users are trained (continuously) to use complex, difficult, long, and unique passwords. The concept was that these attributes made it difficult for a password to be broken.
Lets explore what that meant… When a password was X characters long using Y variety of symbols it would take a computer Z time to break it. Pretty straight forward. (This example drawn is for a password hash that is being brute force attacked offline) This analogy and logic is also true with encryption, but it is based on poor premise:
- Password cracking CPU cycles for a single machine are far more powerful than yesteryear, AND if we focus ONLY only on computing power, well the use of Cloud Armies to attack represent the new advantage for the cracking team
- Password cracking by comparison pretty much made the CPU argument (and length of time to hack) moot. There exists databases FULL of every single password hash (for each type of encryption / hash approach) that can be compared against recovered passwords – think 2 excel tables .. search for hash in column A and find real world password in column B.
Interesting selective supporting facts:
- A $3000 computer running appropriate algorithms can make 33 billion password guesses every second with a tool such as whitepixel
- A researcher from Carnegie Mellon developed an algorithm designed for cracking long passwords that are made up of combined set of words in a phrase (a common best practice advice) – “Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases.” This is research is being presented in San Antonio at the “Conference on Data and Application Security & Privacy” – New Scientist
Humans also pick awful passwords …
- Based on habit
- We trend towards the same passwords
- Based on grammer
- Our punctuation and writing habits also lend towards identification and passwords
To be continued ….. Part 2 and 3 will be shared soon, looking forward to more collaboration!
Keep seeking, everything.
– James DeLuccia IV
Technology, Strategy, and Cybersecurity - explored, explained, and examined 
Very interesting thesis. I’m really curious to see your other two points, and the conclusion of the research.
Fair points. Do you have any data/time/examples of “good” password phrases or passwords and how long those would take to crack with the 3k 33 billion computer etc? I will continue to think more about this and provide more comments.
Pingback: Passwords are Dead, Part II 2nd False Premise – a collaborative research effort, being presented at RSA 2013 | Payment Card Security & IT Controls Explained
I agree with your points. No matter the password rules, end users will mismanage the password. Provide some examples of good passwords with bad management and the end result.
I know you will have a great presentation!
Take care,
Kathy
Very true, the rate of passwords complexity is closely followed by it being cracked. However does it mean passwords are dead? I am not sure, I think of passwords to be more of “authenticators” and our character/numeric based passwords may be need to re-looked to include other types as well.
Right from the time of egyptians civilizations and other ones around the same time, codes (passwords) have always been used, however I think we are now reached a stage our most secure code would be something that is system generated.
But then how secure would such a system be which would generate our passwords!?
Hello there, You have done an incredible job. I will definitely digg it and personally recommend to my friends. I am sure they’ll be benefited from this web site.