In part one we covered the problems with passwords. In this follow-up we discuss ways to make passwords more secure and potential alternatives.

So what should we be doing?

It’s fair to say that most of us hate passwords. But until a better solution is introduced, we’re stuck with them. If you’re building a new app or tool there are some ways to make passwords more secure.

  • Don’t enforce arbitrarily short passwords. Many developers still restrict users to 16 characters or so, limiting the ability to use some of the techniques mentioned in part one.
  • Enforce rate limiting. Password cracking is only feasible because many apps and sites let you keep guessing. It’s good practice to lock users out for a while after a few failed attempts. Though this can have its downsides.
  • Keep it real. We’ve written about security theatre before. If you introduce too many unnecessary measures, or put too many restrictions on the types of passwords required (it doesn’t always have to include one upper case, one lower, one symbol and one number!), people will cut corners.
  • Make sure your password reset function is secure. We’ve all forgotten passwordswe’ve discussed how easy it is to do. So having the option to reset it is vital. But it doesn’t matter how “strong” your password rules are if a hacker can exploit the reset mechanism. Pro tip: this is also a good reason to use fake details when setting up accounts. Finding out your DOB or mother’s maiden name is a trivial exercise.
  • Don’t use email addresses as usernames. Having lots of accounts with the same email address and username makes life easier for hackers. Let users create their own unique usernames. And don’t limit them to alphabetic characterswhy shouldn’t a username be as secure as a password?

Are the password’s days numbered?

While the password won’t be going anywhere soon, there are some alternatives you should consider.

  • Magic” links. These are currently being used by sites like Blendle. You click on an article, it asks if would you like a magic link and then sends one to you via email. This link includes a token (one-time password) that expires after a single use or a few minutes. Basically, it’s reusing your email authentication. The only downside it that email isn’t as secure as people think, but for most things this is fine. Products like MobileIron Access do a similar thing for enterprise apps and cloud services.
  • Digital certificates. These have been around for years but are pretty effective. They’re especially useful for stuff like IoT devices and cloud-based services.
  • Adaptive authentication. This is the idea that you should have to do more to authenticate if you’re logging in from a bar or some hacker hotspot and trying to transfer £10,000 to a new contact, than if you’re logging in from home and paying the gas bill you’ve paid every month for years. Banks are increasingly using this to improve security while keeping the user experience as frictionless as possible.
  • Behavioural analysis. One of the latest techniques is using AI to identify traits we probably don’t even notice and are hard to mimic. An example is password cadence checking. This looks at not just which characters you type, but also how you type them. It’s surprisingly effective at identifying illegitimate logins.
  • Voice. It’s being used for everything! It’s likely to play a pivotal role in security in the future. It’s easy to use and yet surprisingly hard to crackwhen implemented properly.
  • New forms of biometrics. Biometrics can improve security, but many aren’t as secure as they might seem. We leave fingerprints around all over the place. It’s even been shown that a fingerprint can be recreated from a high-res photo taken from a distance. But new forms are emerging, like using the pattern of veins in your wrist and Apple’s fancy Face ID. Taking this a step further, some companies are now offering to implant a small chip in your wrist which can be used for authentication and a variety of other things.

There’s a pretty good chance that passwords will still be around in ten yearsafter all, they’ve survived for millennia and we still haven’t got rid of cheques. This isn’t the end of the passwordheck we’re probably not even close to thatbut hopefully they’ll play less of a role in the near future.

Password entry cartoon from xkcd.com
https://xkcd.com/2137/

Posted by John on 22 May 2019