You don’t need to tell me how annoying keeping track of your passwords is, and you really shouldn’t be expected to remember a subset of unique passwords for every login that you have; that might be a lot of passwords. So why is it then, that passwords are still the primary authentication mechanism for most of our logins?
The first use of password authentication is suspected to date back to the 1960’s at the Massachusetts Institute of Technology (MIT) during the development of a time-sharing computer, the Compatible Time-Sharing System (CTSS). Even then, passwords were not very effective and they have only gotten worse.
Risks of Reusing Passwords
I know many people who have a few passwords that they use over and over again on the different accounts that they need passwords for. This includes both work accounts and personal accounts. This wouldn’t normally be a problem if it weren’t for the almost 7 billion people in the world, very powerful computers, and data breaches. Let me explain.
How Data Breaches Increase Password Reuse Risk
Every time a data breach occurs there is the risk that an attacker will obtain usernames and passwords. What is increasingly happening is that these password repositories (both encrypted and unencrypted) are being sold, or traded between cyber criminals. This allows a cyber criminal to obtain large subsets of possibly legitimate credentials without doing much work.
Using these credential repositories cyber criminals can automate checks and logins to determine if any of the credentials are still valid. Once they’ve determined if any of the credentials still work, they can either use it to continue the cyber attack or sell the credentials to other criminals including nation states such as Russia and China.
Moore’s Law and Increasing Microprocessor Capabilities
Moore’s Law is an observation that the density of transistors in microprocessors doubling approximately every two years. This increase in density has lead to a direct effect of the increase of microprocessor capabilities
Passwords can only be as complex as our language, as well as any other limits we place on passwords (i.e. special characters), thus our passwords have limits. As computers become more and more powerful, they become more and more capable of performing a lot of calculations in a short period of time. Cracking or guessing a password involves using hardware in order to try and recover passwords.
There are a number of different methods and applications for password cracking but they also work similarly. They attempt to take a given input, cryptographically hash it, and compare it to the hash of an encrypted password that we have. If they match, then we’ve guessed the password.
Due to this increase in power, passwords have actually become weaker over time in terms of how quickly a certain length can be cracked. Here are some estimates from betterbuys.com.
As you can see, a 9 character alphanumeric password in the year 2000 would take almost 4 years to crack. As of 2016, this same 9 character password takes just under 3 months.
As I mentioned earlier, it’s not feasible to remember a large subset of unique passwords for every account that we may have. So stop trying to remember them!
Password Managers such as LastPass and BitWarden not only allow you to store passwords, but they also allow you to generate random passwords based on needs. Your password manager will have a single password to access, and then will provide you with complete plain-text access to all of your passwords.
By using your password manager, generating a random password for every login, and storing it securely, you will never have to remember any of your passwords other then the one that you use to login to your password manager.
Even if your password is stolen, it’s uniqueness prevents it from being used on any of your other accounts.
I’ve mentioned Multi-factor Authentication (MFA) many times before. In short, MFA adds a second and even third authentication method that must be successfully entered, along with the password.
Authentication methods fall under three categories; something you know, something you have, and something you are. A true MFA solution must have at least two of these methods involved. Here are some examples of authentication types that fall under these categories.
|Something You Know||Something You Have||Something You Are|
|Software RSA Token (Mobile Phone)||Voice|
|Hardware RSA Token||Retina/Iris|
Length Is More Important Than Complexity
Although it’s recommended that we include not just letters, but also numbers and special characters in our passwords. At the end of the day, the length of your passwords is going to be more important then the complexity. An 8-character complex password will still be cracked before a 20-character simple one.