A lot of security myths have acquired lives of their own and taken as facts. Dr. Andy Farnell over at the Cyber Show's blog has posted an item about where passwords can still fit in as a part of general authentication despite what fleets of salesmen selling authentication gimmicks tell us.
Security models: password or tracker?
Indeed people do not discriminate two vastly different security models that should really be obvious with a moments thought. The question is, "who is the security for?"
Security schemes that ask that you carry around a device which is connected permanently to a network and uses a mechanism that is entirely opaque to you is a different kind of security. It is more than a mere access control. It is not security for you.
It may pass for "something you have" but also has a function to act as a location or close proximity biometric remote sensor for an observer elsewhere. It's a tracking device.
[...] Partly it's because we've been using passwords wrong for about the past 40 years. The new NIST document partially puts that right. It's also because there's a massive "security industry" that sells things - and you can't sell people the ability to think up a new password in their own head. Where's the profit in that?
Instead they'll tell you that you need a fangled security system of gadgets and retina scans, and that you're too stupid to be trusted with your own security. They are wrong. In most cases passwords are just fine if not better than alternatives, and in this post we're going to explain why.
Thus another theme of this essay is personal responsibility and the crux of the argument is that all security solutions which are not passwords solve problems that are not yours.
Like self-service checkouts at the supermarket that make customers into employees, they are a way of passing blame, liability, and work onto you in order to solve someone elses security problem. As Prof. Ross Anderson bluntly puts it;
"If Alice guards a system but Bob pays the cost of failure, you can expect trouble."
Cybersecurity has become more harmful than helpful in many cases and biometrics are more of a user name than a password despite the constant misuse as the latter.
Previously:
(2024) NIST Proposes Barring Some of the Most Nonsensical Password Rules
(2024) VISA and Biometric Authentication
(2023) A Fifth of Passwords Used by Federal Agency Cracked in Security Audit
(2020) Here's Yet Another Reason Why You Really Should Start Using Better Passwords
Related Stories
After analyzing 15 billion passwords, these are the most common phrases people use:
[...] the CyberNews Investigation team was interested in what kind of patterns everyday people were using in creating their own passwords. We collected data from publicly leaked data breaches, including the Breach Compilation, Collection #1-5, and other databases. We then anonymized the data and detached the passwords so that we could look at that data in isolation.
In total, we were able to analyze 15,212,645,925 passwords, of which 2,217,015,490 were unique. We discovered some interesting things about the way that people create passwords: their favorite sports teams, cities, food and even curse words. We could even deduce the probable age of the person by looking at which year they use in their password.
As the data came in various forms, we filtered the results to only include terms that we could make sense of, and from which we could gather some insights.
[...] Of course, at this point this conversation has all become moot: the best passwords are the ones that you don't need to remember at all. For this reason, we normally strongly recommend that people use password managers. These easy-to-use tools will create very complex passwords for you that you don't even have to remember.
They mostly come as browser extensions that will create or fill in your usernames and passwords for you. The only thing you need to remember is one master password to use the password managers.
Now, if you noticed that your own personal passwords have similar patterns to the ones we analyzed, and that these passwords can be considered rather simple, we recommend you visit our Data Leak Checker to see if your email address and other personal data has been exposed in a data breach.
The CyberNews Data Leak Checker currently has the largest database of known breached accounts, with more than 15 billion compromised accounts. So, chances are that if your account has been leaked, we'll probably have a record of it.
(Emphasis from original retained here.)
Another useful site for checking if an email address has been compromised is: https://haveibeenpwned.com/.
89% of the department's high-value assets didn't use multi-factor authentication:
More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
[...] The results weren't encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department's user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
Looks like VISA credit card has developed a way of storing biometric data on our cellphones, then use that as an authenticator.
https://reclaimthenet.org/visa-applies-for-biometric-authentication-patent
What could possibly go wrong here?
I guess I am really leery of cellphone security and app resilience. Is it so complex that it's too finicky to use? Does it require a good internet connection to work? ( Can you hear me now? ), or maybe it's based on QR codes?
I have been wrestling with a fast-food burger app over login issues. I am quite jaded over trusting anything I have to log on to to get a fresh timeout permission. For this, all I am risking is the cost of a trip to the restaurant vs. the liklihood the coupon offer will still work when I present at the register. ( The Wendy's Story already discussed here ).
How much impact would a denial-of-service cause for you? How robust is this technology. I've already seen the most expensive cars shut down for the most trivial crap. That's why I drive an old one made before their design became enshittified.
Cut n paste snippets below.
The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions.
Choosing strong passwords and storing them safely is one of the most challenging parts of a good cybersecurity regimen. More challenging still is complying with password rules imposed by employers, federal agencies, and providers of online services. Frequently, the rules—ostensibly to enhance security hygiene—actually undermine it. And yet, the nameless rulemakers impose the requirements anyway.
[...] A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
(Score: 5, Insightful) by aafcac on Monday October 07 2024, @08:33PM (6 children)
I do think it's worth noting that the sad state of 2FA is the actual problem here. People should be able to set a password that's secure enough to keep an adversary from cracking it in under some reasonable multiple of whatever time to live you've got from the 2FA and that should be good enough for most practical applications. The problem though is that much of the 2FA in use is completely useless stuff like a voice mail or email to an unsecured mailbox where they can get the code directly after already knowing everybody's phone numbers from a directory.
In theory, no matter how stupid the password is, the 2FA is supposed to scuttle the attempt to log in without that.
(Score: 1) by shrewdsheep on Tuesday October 08 2024, @07:13AM (5 children)
I personally hate 2FA and believe it's useless for people like me. If OTOH I would be a sys-admin of a large organization, I would still consider 2FA as there is a sizable population falling for phishing attacks. 2FA implementation matters indeed. I believe SMS verification is a reasonable approach, separating location access between parties.
(Score: 5, Interesting) by Rosco P. Coltrane on Tuesday October 08 2024, @10:53AM (3 children)
2FA is very useful, and while inconvenient, you should use it. It truly is the best thing you can do against account takeover.
SMS 2FA is completely terrible though. If you need convincing, watch this [youtu.be].
And if you wonder why big names like Google or Facebook still push SMS 2FA if it's that terrible, it's because it has one great advantage for them: it allows them to collect people's phone numbers under the guise of "security". In other words, they don't give the tiniest shit about your security: what they want is more of your data. TOTP or FIDO do nothing to help them collect data on you, which is why they aren't actively and aggressively pushing them like they should if they truly cared about security.
(Score: 3, Insightful) by SomeGuy on Tuesday October 08 2024, @12:00PM (1 child)
Come up with a widely accepted 2FA method that does not require a smartphone and I'll finally consider 2FA as something other than a nazi-ific way to sell cell phones and collect personal data.
Some of us don't own and don't want a smart phone or cell phone. Yet, from what I have seen the only "2FA" that has come to be fully accepted by big mindless companies is the use of some "app" on a stupid smart phone.
(Score: 2, Informative) by Anonymous Coward on Tuesday October 08 2024, @03:48PM
TOTP doesn't require a phone. It will often be labeled "Google Authenicator" but you can use any app including many desktop password managers. Nor does "passkeys" (aka WebAuthn) which also can be handled by many password managers (including likely the one built into your browser). But you'll generally see those options on sites that really care about security like video games, not sites where security is actually important like your bank.
(Score: 1, Informative) by Anonymous Coward on Tuesday October 08 2024, @11:10PM
> why big names like Google or Facebook still push SMS 2FA ... it allows them to collect people's phone numbers
Joke's on Google -- I set the phone number for text messages to my Google Voice phone number--which Google/Gmail offered to me many years ago for free.
FB I could care less, don't have an account and don't want one.
Like another poster in this thread, I don't have a smart phone (land line only) and don't want a cell phone either.
(Score: 3, Interesting) by aafcac on Wednesday October 09 2024, @05:04AM
I personally like it, but I absolutely hate how many sites require that I use email or SMS. The email isn't as bad as I use proper 2FA on all my email accounts and the likelihood of anybody intercepting the details in time to actually use them is pretty slim.
The phones though are completely inexcusable as there's often a voicemail option that goes to a voicemail box that may not be used and may not have any security at all.
Personally, I prefer OTP or FIDO, although I do make a point of keeping a spare FIDO stashed away in case I misplace the primary one.
(Score: 5, Insightful) by ikanreed on Monday October 07 2024, @09:45PM
It's another one of the problems that could be put in the box of "Big tech solutions to this are half-assed, dangerous, and worse for users, but slightly more convenient so they're going to be totally universal, and you don't even get another choice"
(Score: 3, Insightful) by Rosco P. Coltrane on Tuesday October 08 2024, @10:33AM
Why? because your fingerprint / retina print / DNA record or whatever is compromised, you can't change it.
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday October 08 2024, @10:46AM (3 children)
the time it takes to devise a safe and convenient way to dream up and remember secure passwords. It's not that complicated and it avoids the following solutions and their pitfalls:
- Password managers: do you trust the software / software vendor? I don't. And even if you do, one technical screw-up and all you passwords are gone.
- Hardware-based primary FA: lose the device, lose access.
- Hardware-based 1FA or 2FA when the hardware is some proprietary app: you're at the mercy of the app's vendor. If your cellphone is too old, the app might fail to work and you need a new cellphone. If you run a deGoogled OS, the app may bitch and moan and you're SOL.
- Tracker- or location-based: I don't want to be tracked. Fuck you.
Also, any form of authentication that lives outside your head can be subpoenaed / cracked by the authorities. Something that lives in your head can never be prized out of it - at least not if you live in a country where torture is illegal, and last I checked, nominally it still is in the US.
And passwords are trivial to change and if you care to remember them, they can be reliably used for a lifetime without fear of technical failure.
Don't be lazy and take the time to dream up a secure password creation "recipe" in your head, and you'll never need to remember any password - just the recipe - and your passwords will be perfectly secure.
(Score: 4, Touché) by Rich on Tuesday October 08 2024, @12:57PM (2 children)
Don't underestimate the power of statistics. One compromised password and some background info (domain names etc.) fed into an LLM trained for the purpose will likely break the scheme, two compromised passwords will break it for sure, unless your head does salted hashing or something close to it.
(Score: 0) by Anonymous Coward on Tuesday October 08 2024, @11:17PM
> unless your head does salted hashing or something close to it.
Like this?
https://www.youtube.com/watch?v=WTLsNRpxcuk [youtube.com]
(wait for the end for the lyrics)
(Score: 1) by shrewdsheep on Wednesday October 09 2024, @06:55AM
The recipe is the (simple) password for a password manager.