Passwords Alone Cannot Save You (2 of 4)

This post is the second in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role.

While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization.

The first post in this series is here. The third post is here. The fourth post is here.

When the idea of computer passwords started, it seemed pretty simple: a secret word that you know, but no-one else does, could identify you as who you are. But people also use computers for spell-checking, which involves creating dictionaries of all the known words. It doesn’t take long to realize that plugging each word of the dictionary into the password-checker is going to break a lot of passwords!

So then the industry started trying to drill us in creating “strong” passwords. They created rules - like, a password must be 16 letters long, and contain upper-case and lower-case letters, and a number, and maybe a punctuation sign. But now it’s nearly impossible to remember them! So people would either write the password down (which is insecure, when someone else finds your scrap of paper), or they’d figure out a password that passes the test but they could remember - and then they would reuse that “strong” password on all their accounts! This is horrible, because if your password leaks from the website of the local swimming pool (say), which probably doesn’t have very good security, but it’s also your password to your investment accounts - that’s a really bad exposure.

A friend notes that some people confuse “obscure” passwords with “strong” passwords. For example, a word (or an author) in a non-English language might seem obscure in day-to-day social interactions, but to a computer algorithm it’s still just a string of letters, and just as guessable as an English word.

Password-guessing algorithms are another form of attack. They’ve basically been evolving alongside “strong”-password-rules and human behavior in creating them. But the news item from the last post link shows another form of this attack: the attackers have crowd-sourced their password generator, they’re using the result of successful password attacks to feed into the new attacks, and they have a dictionary of 16 billion passwords! I don’t know about you, but I’m pretty sure any password I can remember will be in those 16 billion entries somewhere.

So the idea of a secret word that you can remember, but no one else can guess, is pretty unlikely. How can we do better? See the next post, Strengthening Login Security.