Visible to the public SoS Musings #52 - Passwords Are Still Here and in Need of Improvement

SoS Musings #52 -

Passwords Are Still Here and in Need of Improvement

Despite the rising popularity of biometric authentication, passwords remain a widely used way to verify a user's identity, allowing them to gain access to a device, application, or website. Passwords are still widely used because they do not have compatibility issues, do not return false results, do not rely on potentially publicly available information such as facial images, are easier to replace when compromised, and more. However, there are still significant problems faced by the use of passwords, such as password theft, reuse, and weak creation. According to Verizon's 2021 Data Breach Investigations Report (DBIR), credentials are still the primary means by which a malicious actor hacks into an organization, with 61 percent of breaches involving the use of credential data. Since the use of passwords for authentication remains popular, the security community must continue to explore solutions to improve this means of authentication as it is considered a weak link and common source of many cybersecurity vulnerabilities and incidents.

Studies have highlighted the magnitude of problems surrounding passwords. People often reuse the same password across multiple online accounts due to the difficulty in keeping track of multiple passwords, which increases the chances of successful credential stuffing attacks. The performance of these attacks involves the use of stolen usernames and passwords, often obtained from a corporate breach, to "stuff" the login pages of other accounts. An online security survey conducted by Google found that at least 65 percent of people reuse the same password for multiple, if not all, their accounts. Another survey by LastPass found that 91 percent of people are aware of the security risks posed by reusing the same password on multiple sites, yet 66 percent still follow this unsafe practice. In 2019 between January and March, the Microsoft threat research team scanned all Microsoft Services Accounts and Azure AD accounts, and discovered 44 million users employing usernames and passwords leaked online following security breaches experienced by other online services. This scan helped Microsoft identify those who were reusing the same passwords across different online accounts in order to force a password reset. In addition to reusing passwords, the difficulty in remembering multiple passwords leads people to create easy-to-remember, easy-to-guess passwords. The CyberNews Investigation Team analyzed 15.2 billion passwords, finding that only 2.2 billion were unique. The 2021 study found that the top five most common passwords are "123456," "123456789," "qwerty," "password," and "12345." A study by researchers at Carnegie Mellon University, a Science of Security Lablet, pointed out the rarity of password changes and stronger password creation after a data breach. In their study, only 13 percent of participants who had accounts on breached domains decided to change their passwords. Those who made the change often chose passwords that were weaker than their previous ones. In addition, users' new passwords were discovered to be more similar to the ones they use on other online accounts.

Research efforts have been made to help inform and strengthen password creation, usability, and security. The passwords research group in Carnegie Mellon's CyLab Security and Privacy Institute developed a science-backed policy for the creation of passwords that balances security and usability. The policy is said to allow users to create passwords that are both easier to remember and increasingly secure against sophisticated attackers. It does away with rules pertaining to uppercase and lowercase letters, numbers, and symbols. A user's password would instead be required to be at least 12 characters long, and pass a real-time strength test developed by the CyLab researchers. Their data showed that requiring users to use more classes of characters (i.e., uppercase letters, symbols, and digits) does not improve password strength as much as other requirements, and it often impacts password usability negatively. The CyLab researchers' password-strength meter is driven by an artificial neural network that is small enough to be encoded into a web browser, and provides a strength score along with suggestions to users in real-time. The state-of-the-art password meter led to the discovery of a threshold between password strength and length that would cause users to create stronger and more usable passwords than they would with common password policies. They found that a policy requiring both a minimum strength and a minimum length of 12 characters would achieve a good balance between security and usability. According to the researchers, minimum-strength policies are flexible in configuration to the desired security level and are easier to use alongside real-time requirements feedback in high-security settings. Two professors from the Computer Science department at the University of North Carolina released a paper in which they proposed a way to force people to use different passwords for each of their accounts. They proposed the coordination of password selection across websites to prevent similar passwords from being used for the same account identifier. The professors explained that if the top 20 websites worked together, they could significantly limit password reuse and the scope of hacked accounts. Researchers at the State Key Laboratory for Novel Software Technology, and the Department of Computer Science and Technology at Nanjing University, China, proposed a new model that addresses online and offline attacks against passwords without requiring users to increase their efforts in creating and memorizing passwords. In the proposed model, a login system relies on two servers instead of just one. A user could have a short, memorable password to access their longer, computer-generated "hashed" password on another server. The key to de-hashing the longer password is stored on the second server, but the true password is stored on the user's device too, and therefore, the memorable password acts as a token for two-factor authentication (2FA). According to the researchers, this approach would thwart attackers, including those with the most sophisticated hacking tools. Security researchers at Tide, a nonprofit based in Sydney, Australia, developed a method called "splintering," which is claimed to make it 14 million percent more difficult for hackers to crack passwords. Their splintering method breaks encrypted passwords within an authentication system into multiple small pieces and stores them on a decentralized distributed network from which they can be reassembled when needed. Tide's Delegated Automated Trustee node technology makes it significantly harder for malicious actors to perform brute-force password guessing attacks, reverse engineering, and more, to reconstruct passwords.

Although there are alternatives to using passwords, such as biometrics, the security community must continue efforts towards improving the security and usability of passwords as it is still the dominant means of authentication on the Internet, and their abuse by malicious actors could lead to the exposure of personal information and identity theft.