Passwords are one of the most common and oldest ways of authenticating users online. However, they are also one of the most vulnerable and outdated methods of protecting our data and privacy.
The Good
Passwords are easy to use and remember, at least for simple and short ones. They do not require any additional hardware or software, unlike other forms of authentication such as biometrics or tokens. And passwords can be replaced easily and quickly. They are also widely supported by most websites and applications, making them convenient and accessible for users.
Also, while using passwords, the state of technology includes additional security measures that help securing access (besides access security measures such as MFA, salting, biometrics, …). In loose order:
- Analyze additional user attributes, such as IP address, browser agent, location, click behavior.
- Notifications of users when new devices log in, second factor e.g. via e-mail if possible.
- Providing users with activity and login histories (prominently) for the users to detect possible malicious logins and logged in devices.
- Implement detection across accounts to identify if accounts are subject to brute force attacks or an unusual amount of accounts is showing login events in a certain time frame (e.g. a bot accessing a large set of accounts in a short time).
- Use of captchas.
- Conditional access, including device compliance.
The Bad
Passwords have many drawbacks and limitations, especially when they are used alone. Some of the problems with passwords are:
- They can be easily guessed, cracked, or stolen by hackers, especially if they are weak, reused, or exposed in data breaches.
- They can be forgotten, lost, or compromised by users, especially if they are complex, numerous, or not stored securely.
- They can be bypassed, spoofed, or intercepted by attackers, especially if they are transmitted or stored in plain text, or if the communication channel or the server is not encrypted or protected.
These problems can lead to serious consequences, such as identity theft, fraud, data loss, or privacy violation. Even recent breaches, such as the one at 23andMe, are only possible due to the use of passwords (only).
The Ugly
Passwords are not only a technical issue, but also a legal and social one. In Germany, the current legislation on cybersecurity is flawed and insufficient. According to the Criminal Code, hacking is only punishable if “the offender circumvented security mechanisms” (§ 202a StGB). This means that even the simplest and most obvious password, such as “1234” or “password”, is considered a security mechanism in order to get a legal hold against attackers. If you went into a house with the key in the door, this is still against the law. In cybersecurity it is only breaking the law if „the attacker circumvented security mechanisms“. This gives cyber defense teams a hard time, as they cannot claim towards the digital supply chain that weak passwords are not a suitable security mechanism.
On the other hand, this also puts the blame and responsibility on the users, who are often not security aware and cannot be expected to follow the best practices of password management. Think about your parents, or your grandparents, or anyone who is not familiar with the latest technology and threats. How can we ask them to create and remember strong and unique passwords for every account and service they use? How can we blame them if their passwords are hacked or leaked? The liability must lie with the providers and developers.
The Solution
The solution to the password problem is not simple or straightforward. It requires a combination of technical, legal, and social measures. Some of the possible steps are:
- Implementing and enforcing secure access policies and standards for websites and applications, such as using HTTPS, hashing and salting passwords, and applying the principle of least privilege.
- Holding companies and organizations accountable and liable for any data breach or security incident that involves passwords, and imposing strict penalties and sanctions for any negligence or violation. This does not mean that attackers should not be held legally responsible, too.
- Educating and raising awareness among users and the public about the importance and best practices of password security, such as using password managers, changing passwords regularly, and enabling multi-factor authentication (MFA).
- Require(!) your providers to implement additional measures that can detect malicious behaviour even if the password is hacked or circumvented, e.g. by analysing browser agents, location and bot-like click behavior.
- Adopting and promoting alternative or complementary forms of authentication, such as biometrics, tokens, or behavioral analysis, that offer higher levels of security and usability.