Lessons Password Authentication Can Take from Asymmetric Keys
Dovell Bonnett
Providing Computer Secure Authentication by Eliminating Employee-Managed Passwords | Strengthen your Cybersecurity Arsenal with Multi-Factor Authentication, Encryption, Password Manager | Author | Speaker
Locking The Virtual Front Door: Article 3, Principle 5
?All the components used to safeguard Private Keys can also be used to protect passwords. Here are a few things that can and should be done:
Generation:
Remember my comment in last week’s article (Asymmetric Ciphers: Two Keys Are Better Than One) that a password, Secret Key, biometric template, and Private Key all look the same to a computer because they’re just a long series of zeros and ones? The main feature that differentiates Keys, templates, and passwords is how they are generated. Passwords are the only ones that humans are allowed to generate, or so some people think.
A password is the easiest and least expensive “Key†to generate because it requires no mathematical algorithms, no seed, no pairing to another password, and no secret information. All that is required for a long, complex, and very secure password is a simple random character generator.
There is an old security adage: “Security by Obscurity.†This simply means if the attacker does not know how information was generated, then it cannot be replicated. Because passwords are not mathematically tied to anything like seeds or biometrics, they are completely obscure. Passwords can also be changed frequently without affecting anything else because they are used for authentication only and are not part of encryption ciphers that also require decryption.
Complexity:
Passwords do not need to be as large as an RSA Key. A 256-character password using all 128 ASCII characters would generate over 2.7x1053? (27 with five hundred and thirty-eight zeros behind it) combinations. In other words, it’s a really, really big (virtually unhackable) number. To add a reference for that, there are only approximately 3x1011 stars in the Milky Way. With such a large number of possibilities and no need to rely on prime numbers or advanced math co-processors, a password can be much smaller than a Private Key and still take an unreasonable number of years to crack using a brute-force attack. The smaller password also allows for a much less expensive smartcard, because there is less storage capacity required.
Hackers don’t just have super-fast computers, they also gang together a number of computers (called bots) to share the processing load. With this in mind, a strong password needs to be at least twelve characters long to make a brute-force attack unreasonable. Taking it a step further, the NIST (National Institute of Standards and Technology) Draft Special Publication 800–118 (April 2009, Retired April 1, 2016) recommends that every password now needs to be at least 15 characters long. It amazes me that even the official Microsoft Website still offers “Tips for creating a strong password†that are rudimentary.
Exchange:
Contrary to popular belief, when you log into an account and type in your password, your actual password is not sent. Instead, the password you type is first hashed and then that hash is sent across the Internet. The receiving server then compares that hash value against the one stored in its database. If they match, you are in. Sending a hash led computer engineers to coin the term “Pass the Hash†(PtH).
Hashing by itself is no longer secure when the same “seed value†is used for a large block of passwords. The fault is not with hashing but rather because multiple people will pick the same password (i.e. “123456â€) and the same hash value is generated. A hacker is able to reverse engineer the seed which in turn can then reverse engineer employee-generated passwords.
There is a fix called Salting the Hash that was discussed in Article 3, Principle 1: “You Encrypt to Stop Governments, Not Your Kid Sister.â€
Lifetime:
This has been an ongoing trade-off between security and user convenience. Changing passwords frequently makes them more secure, but trying to get users to remember the latest one is arduous. Just ask anyone working the IT help desk how many password resets they deal with daily. In a lame attempt to make passwords both secure and less cumbersome, the industry standardized the policy of eight characters with a life span of 30–90 days. Because Private Keys are much longer and secured by other technologies, they can have a longer lifecycle. It is my position that if passwords were longer and properly secured, they too could have a much longer lifecycle than the out of date, insecure, eight-character, user-generated password.
Users do not generate or manage Keys, so why do they have to manage passwords? Like Keys, make them machine generated that only the authorized user can access. More about how to do this in upcoming articles.
Uniqueness:
Unique passwords are easy to accomplish. They require no mathematical algorithms, and since there is no pairing, changing passwords is also easy and fast. Machine-generated passwords utilize the entire American Standard Code for Information Interchange (ASCII) set of 128 standard characters, or 256 if the extended characters are included. In comparison, a standard keyboard has only ninety-two symbols a user can easily type. Therefore, a machine-generated password will be far more complex and unique than what a person could type and remember.
Once the human interface is removed to remember and type passwords, there is no reason every password can’t be 500-characters long. There’s something to think about.
Storage:
A secure password manager uses technologies similar to those used by asymmetric Keys to generate and store passwords. By taking the human element out of the security chain, IT is able to remove its biggest vulnerability. When passwords are stored in similar devices, they are just as secure as a Private Key. Security is not defined by the methodology but by the secure management of the methodology. When passwords are just as difficult to crack or discover as a Private Key, then they are just as secure.
Challenge-Response (C-R):
Today’s computer security experts are pushing for network mutual authentication before the firewall and before access to any data. When C-R enabled smartcards are used, they ensure that the chip and server verify each other. The server verifies the chip and the chip verifies the server. Challenge-Response will protect password entry, password data files, and guard against many computer attacks.
Wrap up
We are almost ready to pull everything together to create what I call the Password Authentication Infrastructure or PAI. This is where we use all that we take the best parts of hashing, symmetric ciphers and asymmetric ciphers to secure passwords.
However, there is still one more topic that needs to be discussed. That’s multi-factor authentication. There is so much misinformation and wrong marketing buzz that I feel I need to set the record straight. Let’s talk about the importance of Authentication in the next Articles.
Dovell Bonnett, Founder and CEO of Access Smart
I’m Dovell Bonnett, Author, CEO of Access Smart, and Password Security Evangelist. These articles are written to help business owners and executives understand an essential aspect of cybersecurity: Authentication. Authentication may seem like a small part of the overall network security; however, it’s your first line of defense. Passwords are a secure means of authentication. The main problem with passwords is how they are managed.
If you missed any of the previous Principle, I want to give you easy access to “Lock the Virtual Front Door†Principles:
- Article 3, Principle 1: You Encrypt to Stop Governments, Not Your Kid Sister
- Article 3, Principle 2: Symmetric Cyphers and Secret Keys, Oh My!
- Article 3, Principle 3: What Passwords Can Learn from Symmetric Keys
- Article 3, Principle 4: Asymmetric Ciphers: Two Keys Must Be Better Than One
If you want to read my previous Articles:
- Article 1, Principle 1: Authentication: cybersecurity’s first line of defense
- Article 2, Principle 1: Passwords policies can destroy your network security
I give a lot more details on password security in my book: Making Passwords Secure: Fixing the Weakest Link in Cybersecurity. Available on Amazon as a book or on Kindle.
Click image to access Amazon
This and other stories originally published on my website Access-Smart.com