Should the FTC Kill the Password? The Case for Better Authentication
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
Co-authored by Professor Woodrow Hartzog.
Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.
Problems with Passwords
The predominant method of authentication thus far has been the password.
Unfortunately, passwords have some significant shortcomings – they depend upon human memory, which is limited. Short and simple passwords are easy to remember, but they are also easy to crack. So passwords need to be long and complex as well as easy to remember, and this combination is incredibly hard to achieve.
Making the problem even worse, people are told that all of their passwords should be unique. Password reuse dramatically increases peoples’ vulnerability when their password is compromised. But it is a virtually impossible feat required of human memory to remember many long and complex passwords.
According to one study, consumers have an average of 24 online accounts. For those who use the Internet more robustly, the number of accounts is much higher.
The mainstream advice on creating passwords counsels people to use special characters, numbers, punctuation, and upper and lower case. All these add complexity to passwords, but they also make passwords significantly harder to memorize.
These demands have resulted in users being given the Herculean task of creating a unique, complex password for every account. No one can remember all of these passwords, so people ignore the advice about using unique passwords and reuse the same password or draw from a pool of a few passwords. According to a study, 73% of accounts use duplicate passwords, and consumers use on average of only 1 unique password per every 4 accounts.
As if remembering complex passwords weren’t hard enough, many companies want passwords to be changed frequently. Unsurprisingly, people often don’t change their passwords. Indeed, by one estimate, nearly half of consumers have a password they haven’t changed in more than five years.
The more challenging it becomes to memorize all the passwords, the more likely people are to write the passwords down in convenient locations, thus creating additional security risks. Passwords find their way onto sticky notes near computers or in wallets or in email or listed in text files in devices.
One company marketed a product called Password Minder and produced a hilarious infomercial that says that Password Minder has been designed to “safely store passwords.” It touts: “Never lose a password. Guaranteed!” Password Minder “features a discreet leatherette-bound cover to ensure your passwords stay a secret.”
The product was “laughed out of production” as experts relentlessly mocked it. But other similar products remain on the market. Here’s one called I Love My Password Book!
We suggest an alternative title – Fraudsters, Here Are All My Passwords for You in One Easy-to-Recognize Book.
And then there is this line of password books, designed for the special needs of various types of people.
A look inside each book, however, shows that all books have pages that look like this:
Last, but not least, there’s The Personal Internet Address & Password Log Book, a small tabbed book where people can write down all their login credentials.
When we last checked, this book ranked #428 out of all books on Amazon, and is the bestselling book in Amazon’s Internet and Telecommunications category.
To our dismay, it’s doing far better than any of our books. Maybe it’s time to write a password keeper book of our own!
These solutions will make any security expert chuckle, but laughter is misguided if directed at the people who would use such a product – instead, the laughter should be at the fact that people feel the need to resort to such a means because of impossible demands being made on human cognition
Locking the Front Door But Leaving the Back Door Open
Suppose a user has many long, complex, or unique passwords. Is the user safe?
Nope. For example, in a phishing attack, fraudsters try to trick users into giving away their passwords. Often, fake websites and deceptive hyperlinks look very real and easily deceive many users. As another example, malware such as keystroke loggers and other spyware can be used to obtain passwords, which seems to be how health insurer Anthem was breached last year. Even when users act perfectly in adopting complex, unique passwords and avoid accidental disclosure, malware can still compromise username and password credentials.
The current approach to passwords protects against only certain types of attacks and fails to address other threats. And by asking people to do the impossible by creating passwords that are both unique and complicated, this approach practically forces people to engage in risky behaviors that defeat the purpose of these protections.
Hardly any expert would disagree with the problems we stated above, yet passwords remain the predominant approach to authentication. We are living in a world of ostriches, their chuckles at the absurdity of the situation muffled by the sand above their heads.
Why Aren’t Better Authentication Methods Catching On More Widely?
There are other solutions to authentication problems and methods of authentication that can be used if organizations moved away from their futile clinging to passwords. Many relatively cheap and easy-to-deploy methods can be used to protect against different kinds of attacks on credentials. One such example is two-factor authentication.
The essence of two-factor authentication is simple. In order to login, you must have something you know (usually a password), as well as one additional factor, usually something you have (usually your cellphone) or something you are (usually a fingerprint or faceprint).
Two-factor authentication is particularly promising because it has already been deployed by major companies, it protects against many different kinds of offline attacks, and can leverage a technology that most people already constantly carry around – their cellphone. Two-factor authentication is a good way to protect against both online and offline attacks. While two factor authentication remains vulnerable to specialized phishing and malware-based attacks, those vulnerabilities are relatively narrow and typically require the fraudster to already have the user’s username and password.
Our point is not that there is a silver bullet that addresses all the problems with passwords. Rather, there are many better authentication techniques available, ones that are clearly a much better choice than passwords alone in certain situations, especially high risk situations.
Although many of these techniques are widely available and inexpensive, they are often not used. This is a pathology that is undermining improved data security. It is clear from many polls that most people are very concerned about data security, and most leaders of organizations are also very concerned.
Change is not likely to happen fast enough without some kind of precipitating event, something to set things in motion and eventually lead to a cascade. Rather than wait for Godot, there would be a great benefit for some kind of regulatory intervention. Perhaps a nudge, maybe a gentle push, maybe a shove, and maybe even a kick in the rear. Something needs to be done.
The FTC Has Laid the Groundwork for a Better Approach to Authentication
In the United States, the FTC is the regulatory agency in the best position to step in and require improved authentication. The FTC has the broadest range of jurisdiction of any federal agency enforcing data security. The broadest source of FTC jurisdiction is Section 5 of the FTC Act. Under Section 5, “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” The FTC has long maintained that failing to provide adequate data security can be a “deceptive” trade practice or an “unfair” trade practice – and in many cases, both deceptive and unfair.
When determining whether data security is satisfactory, the FTC essentially looks to whether the security measures are “reasonable.”
The FTC generally determines what is “reasonable” by looking to areas of widespread consensus. Such a consensus appears to exist regarding passwords – at least in what is being said, although it is not being done. And the foundation exists in existing FTC jurisprudence to make a movement toward improved authentication.
As authentication threats evolve, so should the FTC’s requirements for reasonable authentication.
The FTC’s authentication jurisprudence supports moving beyond passwords to embrace new, effective, and popular techniques. Although passwords alone might still be sufficient for certain kinds of systems, the FTC might consider where improved authentication approaches such as two factor authentication might be more appropriate for high-risk contexts.
The FTC should not create a one-size-fits-all standard. A holistic approach to authentication would consider the relevant threats, the costs of deployment, the toll on use, and the relative security benefits of relevant authentication strategies. The FTC can begin by holding that in certain high risk contexts, improved authentication methods should be employed. The FTC need not necessarily choose which method. The test should be pragmatic: How well does the method work? What are the costs and benefits? The FTC can conclude that as long as alternatives exist that are reasonable in cost and ease of deployment, the use of passwords alone is insufficient.
It is time to start moving beyond the password. The FTC should not kill passwords, but it should not let them continue their reign as the king of authentication. The FTC should make passwords share their throne with better forms of authentication.
For a further elaboration of these points, please see our recent piece, Daniel J. Solove & Woodrow Hartzog, Should the FTC Kill the Password? The Case for Better Authentication, 14 Bloomberg BNA Privacy & Security Law Report 1353 (July 27, 2015).
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.
The Privacy + Security Forum (Oct. 21-23 in Washington DC)
Woodrow Hartzog is an Associate Professor of Law at Samford University’s Cumberland School of Law. He is an internationally-recognized expert in the area of privacy, media, and robotics law.
The views here are the personal views of Professors Solove and Hartzog and not those of any organization with which they are affiliated. The authors would like to thank TeleSign for its support of the article and this post. Image Credits: Fotolia + Pixabay + DJS Mashup
Professor Solove's Privacy + Security Training
Professor Solove's Social Media
Please join Professor Solove's LinkedIn groups:
TWITTER: Follow Professor Solove on Twitter @DanielSolove.
NEWSLETTER: Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.
--
9 年So the solution to computer security is to turn to the government that had virtually all of its personnel records snatched right out from under its nose? And other hacks occurring (that we know of at least as far as the government deigns to inform us about?) I deal with government computer security rules. The author's description of what doesn't work is what the government's rules are. Color me skeptical that turning to the them will do anything but memorialize dated methodologies or mandate new and innovative (and expensive...to the benefit of well connected vendors) unworkable solutions. Plus, it simplifies the hacker's job because they can read the same security standards and target them specifically. Avoiding government standards that everyone will be stuck with indefinitely with no matter how badly they fail allows for a diverse security environment that makes it harder for the hacker to target and easier to change.
I help humans and businesses adapt to disruptive technology change (AI, Automation, Cybersecurity)
9 年Wonderful article on passwords. For those who bought the password book, there's an app for that. I hope you chose a strong password for it.
Expert Project & Program Manager: IT Leadership
9 年I much like the idea of two factor authentication, however, at some point in time that will run its course as well and hackers will catch on to that too!! I think we need to think bigger and wilder to be innovative enough to create much more of a challenge for hackers. I like to login to my phone with my thumbprint and feel that is pretty safe, but as hackers evolve and get smarter I presume they will be able to lift that too.
Good article!! With advances in technology, we now Oxford Biochronometrics S.A. which completely eliminates CAPTCHA's ( https://nomorecaptchas.com ) and also passively authenticates a user based on user behavior. This is very new technology and is catching on quickly in various industries. The most common use is seen at user login to eliminate bot spamming and/or bot login..
Sr. Security Engineer at RJ O'Brien, Podcast host
9 年For starters, after a certain point, a complex password becomes no more secure with extra characters. For those who want to use the forgot password button, with some simple social engineering and research, the questions are easily answered, and the forgot password button has been shown to be a weak link. The idea of using Multi-factor authentication is a better start (i.e. text to your phone number when you try to log into the site for the first time. That code has to be entered in then you can authorize said phone etc so you don't have to type a code again), as it will be easier to be alerted to unauthorized attempts. Biometrics are a good idea also, as long as they are kept encrypted (see recent reveal of HTC keeping them as an unencrypted picture and the easy of hacking that). Password managers are another good starting solution, especially for complex passwords. Most infosec people (like myself) do recommend them. Also changing your passwords regularly, and not reusing the same password for multiple sites. The bottom line on passwords are they are a weak link. Security will never be 100% as it is a process, a journey, not an endpoint.