Passwords are evil!
April 7, 2009
It should be obvious just from the term “strong authentication” what the data security industry thinks of simple passwords. In fact, it’s hard to have much weaker security than just a password.
One of the biggest problems with passwords is that they can be shared. In fact, some of you may remember share-level security back in the days of Windows 3.x. This system required that everyone with access to the share know the password, which essentially meant that any user could make decisions about whom to give the password to – totally insecure.
When user-level security arrived on the scene (well, the Microsoft scene; most other OSes had had user-based security for ages), it was quickly adopted as a best practice, because it didn’t require the sharing of passwords.
And, for a decade and a half now, that’s where we’ve stayed. Passwords are not required to be shared, but they’re still fundamentally shareable, which is the attribute of passwords that all of the attacks in my previous posts exploit. Passwords are just something you know, which makes them easy to remember, write down, copy, share, lose, and so on.”
If passwords were merely secrets, the situation would be better, but they’re not absolute secrets: you tell them to someone (or something) every time you log in. And there’s the problem. You can’t be sure you can trust the system you’re telling. You can’t be sure the system you’re telling is really the system you think it is. You can’t be sure you’re not being overheard, by a wide variety of means.
Once you’ve been overheard, it’s game-over. Bad Guy can just run around impersonating you to the systems until he gets caught, which could take a while. Meanwhile, generally, you can’t tell this is going on, so you have no way to stop it. Administrators will only notice if the access pattern looks suspicious for some reason.
This is why the industry has evolved again, this time from simple user- level authentication with passwords to strong (and, increasingly, mutual) authentication of security principals. The technologies in play are varied; different approaches are appropriate for different contexts, but the bottom line is the same: if you make it impossible to share (intentionally or not) authentication credentials, you have a dramatically more secure system.
