Tuesday, January 15, 2013

Something You Forgot - 3 Factors of Fail (part 2)

   Last week we started talking about authentication and listing the 3 factors of authentication.  This 2nd in the 5-part series will look at the 1st factor.

   The 1st factor of authentication is "something you know".  We usually think of this as passwords, but there can be other forms like: PINs; lock combinations; "secret" phrases (the phrase that pays!); picture identification; and secret pattern (like on your smartphone).

   There are a few fundamental problems here.  And they are mostly caused by something we can't change... we're trying to authenticate a human! (usually)  So, rather than something we know, these authentication methods rapidly deteriorate into something you forgot.  Here's why...

   Not Simple.  We're trying to identify someone based on something they know.  So it would probably be good if that thing they know is not easily guessed by someone else.  If it is guessable, then we might mistakenly grant rights to the imposter rather than our original known party.  To make the mistake worse, anything the imposter does would be attributed to the original party.  This means that the thing you know (password, PIN, etc) needs to be not-simple.  Unfortunately, figuring out what is not-simple is... wait for it... not simple!  But, simple is memorable.  The opposite of simplicity is...

   Complexity. The common "solution" to prevent the use of guessable passwords is to create and enforce complexity requirements.  A common complexity requirement is that a password must be 8 characters or longer and must contain: upper and lower case characters; numbers, and; special characters (punctuation).   So smart users work around this by simply substituting numbers and punctuation into common works - making the password more guessable!  Following the complexity requirements makes the password more difficult to create and should effectively look like...

   Nonsense.  Some sites or organizations create random passwords for a user.  These will look like nonsense words, or might not even look like anything recognizable for the user. But our brains are wired to match known patterns like words.  So as we increase complexity, we get passwords that are hard to commit to...

   Memory.  After all, we need to remember the password so we can enter it at an authentication prompt.  We need complexity to prevent guessing, but this makes it harder to memorize which leads us to 3 key issues:

   1. Bad Choices - people can comply with the complexity requirement but still choose a bad password.  For instance, NYG1@nts! meets a "stringent" complexity requirement (8 characters, upper/lower case, numbers, special characters), but is a bad choice, especially if you know I'm a Giants fan.  Of course we also know that in the absence of requirements, people can make really bad password choices.

   2. Entry/Shoulder surfing - a password that is hard to remember is likely harder to enter because a user is thinking about each character.  This makes it easier for an onlooker to observe the password.  This is a bigger issue with shorter authentication strings like a PIN.

   3. Writing it down - the classic bad password choice is writing it on a note taped to a monitor or under the keyboard.  Writing down a password is not automatically a bad thing, as Schneier describes here, just use care and know your surroundings!

   With all those problems, there's one more thing we do to really make matters worse...

   Expiration.  Just when someone may have actually memorized a good, complex, nonsense password, that they don't need to write down and can enter quickly, what do we in the security profession do?... we follow "best practice" (I hate the phrase!) and make them change it through expiring the password.  What a useless practice! Blanket expiring passwords on the off chance that someone may have stolen it is like regularly changing the locks to your house as a way to deter break-ins.  If someone has stolen the keys to your house, you possibly should change the locks.  And if you have reason to believe that your password has been compromised then you should change it.  I'll rant more on this sub-topic another day.

   Secret questions.  With all the crazy "rules" we have around passwords, combined with the fact that people just need too many passwords to exist in our online world, passwords invariably become something we forget.  A common "fix" for this is to use "secret questions".  We've all seen these common questions for which we supply answers.  Unfortunately, secret questions all too often fit our first scenario above... the answers are too simple and guessable.  This is sometimes called the Sarah Palin attack, alluding to the hack of her webmail because the answers to her secret questions were easily found in her wikipedia profile. Of course, the answers to your secret questions don't have to be the true answers... as long as you know what answer you gave.

   Help desks.  Sometimes when you've forgotten your password and the answers to your secret questions, you end up at a help desk (online or IRL (in real life)).  Unfortunately, help desks are hackable through social engineering or basic flaws in their processes, as was illustrated in the Mat Honan saga.

   Perhaps you agree with me that passwords generally fail as an authentication method, primarily because the implementation rules simply intersect with human weaknesses.

   But, we can't end without a few potential solutions.  None of these fully solve the problems, but we can make things better using:

   1. Length - rather than focusing on complexity, we can create memorable, difficult-to-guess passwords by sticking with letters and creating long passphrases.  For instance, a line from a favorite song, poem or book is memorable and far more difficult to guess or crack.  I'll talk about the math here sometime in the future.

   2. vaults - I really like the use of password vaults.  I wrote about them here.  A vault is an encrypted file in which you can store your passwords.  Of course, you need to secure your vault, and that most often is with a password!  It best be a very good one.  And you really need to remember that one.  Or perhaps store it somewhere safe.... like in a vault! :-)

   3. OTP or One Time Passwords - as the name implies, one time passwords are passwords you use... once.  After that, the password is no longer valid.  This mitigates many of the issues we listed above, but creates a new challenge... Somehow we need to deliver this single use password to the user.  We'll talk about that in the next part of the series.

   What do you think about passwords?  What solutions do you or your organization use to make passwords more useful and friendly?  Are there other good "something you know" authentication methods?

No comments:

Post a Comment