Nowadays, the majority of protected areas, systems or networks are secured by passwords. However, a password is only a means to an end: the password is regarded as proof that a real person has a digital identity. What but does a password really make it secure?
The password as proof of digital identity
In order to maintain control, access to certain digital objects – for example a company’s emails – should not be shared with the whole world, but only with a very limited group of people. The email inbox is stored in coded form in a persistent memory – like a hard disk on an object in the physical world. If virtual data, in our example e-mails on the hard disk, is to be processed, the media break between the physical and digital world must be overcome. This is usually done using a computer with Internet access.
Electronic access to emails is protected by digital security mechanisms. In this context, we are talking about access control: access is granted or denied based on a list that defines who is allowed to access which email inbox.
The digital access control object can only make this decision with the help of another digital object. Let’s call this digital object “digital identity”, which can be thought of as a user name or account. Access Control therefore requires a list of digital identities or accounts that are to be granted access to e-mail inboxes.
It is now up to the user to prove that they are the owner of one or more of these digital identities and are therefore authorized to control them in order to gain access to their own emails. This is done with the help of another digital object, e.g. a secret, a piece of information that only you know – your password.
Proof of ownership via a digital identity is usually called “authentication”.
Password, smartcard, etc.: The various authentication methods
The password is just one of many authentication methods. The other options can be classified into three groups:
- Something that the user knows: information, a digital object that only the user knows and that is ideally hidden in the user’s head. This “object” can be retrieved and used when required. An example of this is the password.
- Something that the user owns: A physical object that contains information that can be retrieved on demand, e.g. a smartcard.
- Something that defines the user: Information about the physical self. If required, this information can be digitized via a suitable interface – e.g. the particular arrangement of the blood vessels in your retina.
All three alternatives have one thing in common: they use information that is assigned to a digital identity in a defined way that can be verified by access control. Nowadays, several of the above-mentioned options are usually combined to make misuse more difficult. In this case, we are talking about two-factor or multi-factor authentication or strong authentication.
Manage passwords – keep security under control
A password has a single, seemingly simple task: the authentication of ownership and thus legitimate control over a digital identity. When we talk about the “security” of a password, we actually mean the ability of a password to fulfill its task. A password that allows a third party to take control of a digital identity would therefore be an insecure password.
There are only two ways in which an unauthorized person can come into possession of a password and thus take control of a digital identity in an unauthorized manner:
- The password is guessed by an attacker.
- The password is stolen by an attacker.
The probability of one of these cases occurring depends on various factors, such as the length or complexity of the password.
Statements on the length, complexity or even renewal of passwords are usually part of password policies. We will therefore look at the definition of an appropriate password policy and consider the two cases above:
Guessing passwords
The combination (!) of length and complexity of a password significantly determines how difficult or time-consuming it is for an attacker to guess a password: The effort required to guess a password increases exponentially with the length of the password.
The complexity of the password determines how “strongly” this effort grows exponentially. Complexity here refers to the “randomness” of the password; for a completely random password, an attacker will statistically have to try half of all combinations of a certain length on average. Since we do not know at which “end” of the combinations the attacker will start guessing or how he will order his sequence, the choice of a completely random password is the optimal variant.
The effort required to guess the password is determined by the number of combinatorial possibilities: m^L, where “m” is the number of different characters available for selection and “L” is the length of the password. If, for example, all upper and lower case letters and numbers from 0-9 are permitted, m = 2*26+10 = 62 and for a password of length L=3, there are already m^L = 62^3 = 62*62*62 = 238328 combinatorial possibilities. A standard laptop is able to calculate all these combinations within seconds.
Let’s draw a first conclusion from the perspective of “guessing passwords”: Basically, length and complexity increase the effort required to guess a password and, conversely, this increases password security.
Theft of passwords
In an older version of the “Digital Identity Guidelines” of the American NIST authority, it was recommended that passwords should be changed regularly. This statement is based on the assumption that passwords are compromised from time to time, i.e. made accessible to an attacker (or even guessed). Unfortunately, this assumption is still absolutely true. Just think of incidents such as the theft of three billion user accounts from Yahoo in 2014. Such stolen data records often turn up for sale on virtual black markets and can then be used for abusive access.
The question can now be asked as to whether regularly changing passwords is the right strategy. The answer lies in the question about the purpose of a password, which we posed at the beginning of this article: A password should be used to authenticate ownership of ONE digital identity and not MULTIPLE digital identities.
Changing a password regularly (e.g. every three months) is the right way to restore the protection of a digital identity whose associated authentication means have been stolen.
The problem is massively exacerbated if passwords are reused multiple times, i.e. for different identities. In this case, it is sufficient to compromise just one identity to gain access to all identities that use the same password. It is therefore in the inventor’s interest to choose a different password for each digital identity.
We draw a second conclusion from the perspective of “password theft”: Data theft can lead to an identity being compromised. If passwords are reused, the risk naturally increases considerably and can even result in several identities being affected, even if they have nothing to do with the actual data theft.
Define password policy: Password manager or passphrase?
In order to define a suitable password policy, the interactions and, above all, the side effects of the various factors must be weighed up against each other.
The measures taken, such as increased length, complexity or regular changes of passwords, can lead to careless behavior in everyday life: Users are inclined to write down passwords or use the same character combinations for different identities.
Assuming that sufficiently complex passwords are used, the multiple use of passwords poses the greatest threat to the password as such, as passwords are stolen very frequently nowadays.
The second danger is writing down passwords in electronic form on the same device. All it takes is the right tools and the password is spied on.
Third and fourth on the list of dangers are writing down a password on paper (can be stolen) and incrementing passwords (testing whether “password2” works if it is known that the previous password was “password1”).
Two seemingly simple but very effective approaches can be used to create passwords:
- Use of a passphrase, of which the user memorizes only the first letter and uses the combination of these first letters as a password.
- Use of a password manager. A password manager can generate “random” passwords (i.e. those with a high level of complexity) and manage them for the user.
Read also: FIDO 2.0 – password-free authentication
Creation of password concepts & consulting from United Security Providers
Unfortunately, internal password policy specialists are often in short supply. As a result, any risk factors may not be recognized or may be recognized too late and the dangers of identity theft become real.
The United Security Providers consulting team will be happy to support you with the necessary expertise – from needs analysis, through the development of strategies and concepts, to the implementation of the measures identified.