Passwords: security, vulnerability, constraints
Avi Richards/Unsplash
What is a password?
A password is a secret linked to an identity. It associates two elements, something we own (a bank card, badge, telephone, fingerprint) and what we know (password or code).
Passwords are widely used for computers, telephones and banking. The simplest form is the numerical code (personal identification number, or PIN), with four to six numbers. Our smartphones use two PIN codes, one to unlock the device, and another associated with the SIM card, to access the network. Passwords are most commonly associated with Internet services (e-mail, social networks, e-commerce, etc.).
Today, in practical terms, identity is linked to an e-mail address. A website uses it to identify a person. The password is a secret, known by both the server and the user, making it possible to “prove” to the server that the identity provided is authentic. Since an e-mail address is often public, knowing this address is not enough for recognizing a user. The password is used as a lock on this identity. Therefore, passwords are stored on the websites into which we log.
What is the risk associated with passwords?
The main risk is password theft, in which the associated identity is stolen. A password must be kept hidden, so that it remains secret, preventing identity theft when incidents arise, such as the theft of Yahoo usernames.
Therefore, a website doesn’t (or shouldn’t) save a password directly. It uses a hash function to calculate its electronic fingerprint (digest), such as the bcrypt function that Facebook uses. With the password, it is easy to calculate the footprint and verify that it is correct. At the same time, it is extremely difficult mathematically to find the code if only the footprint is known.
Searching for a password by following its fingerprint
Unfortunately, technological progress has made brute-force password-search tools, like “John the Ripper” extremely effective. As a result, attackers can find passwords fairly easily by following their electronic fingerprints.
Attackers can also capture passwords, for example by tricking users. “Phishing” encourages users to connect to a website that imitates one they were looking for, thus allowing attackers to steal login information (e-mail and password).
Many social networks, shops, banks and other online services require user identification and authentication. It is important be sure we are connecting to the genuine website, and that the connection is encrypted (lock, green color in the browser address bar), to prevent passwords from being compromised.
World’s Direction/Flickr, CC BY
Can we protect ourselves, and how?
For a long time, the main risk involved sharing computers. Writing your password on a Post-it note on the desk was therefore prohibited. In a lot of environments today, this is in fact a pragmatic and effective way of keeping the secret.
The main risk today involves to the fact that an e-mail address is associated with the passwords. This universal username is therefore extremely sensitive, and naturally it is a target for hackers. It is therefore important to identify all the possible means an e-mail service provider offers to protect this address and connection. These mechanisms can include a code being sent by SMS to a mobile phone, a recovery e-mail address, pre-printed one-time use codes, etc. These methods control access to your e-mail address by alerting you of attempts to compromise your account, and help you regain access if you lose your password.
For personal use
Another danger involves passwords being reused for several websites. Attacks on websites are very common, and levels of protection vary greatly. Reusing one password on several websites therefore very significantly increases the risk of it being compromised. Currently, the best practice is to therefore to use a password manager, or digital safe (like KeePass or Password Safe, both are free and open software), to save a different password for each website.
The automatic password-generation function offered by these managers provides passwords that are more difficult to guess. This greatly simplifies what users need to remember and significantly improves security.
It is also good to keep the database on a flash drive, and to save it frequently. There are also cloud password-management solutions. Personally, I do not use them, because I want to be able to maintain control of the technology. That could prevent me, for example, from using a smart phone in certain environments.
For professionals
Changing passwords frequently is often mandatory in the professional world. It is often seen as a constraint, which is amplified by the required length, variety of characters, the impossibility of using old passwords, etc. Experience has shown that too many constraints lead users to choose passwords that are less secure.
It is recommended to use an authentication token (chip card, USB token, OTP, etc.). At a limited cost, this offers a significant level of security and additional services such as remote access, e-mail and document signature, and protection for the intranet service.
Important reminders to avoid password theft or limit its impact
Passwords, associated with e-mail addresses, are a critical element in the use of Internet services. Currently, the two key precautions recommended for safe use is to have one password per service (if possible generated randomly and kept in a digital safe) and to be careful to secure sensitive services, such as e-mail addresses and login information (by using the protective measures provided by these services, including double authentication via SMS or recovery codes, and remaining vigilant if anything abnormality is detected).
For more recommendations, check with the official computer-security agency in your country. Options include France’s Agence nationale de la sécurité des systèmes d’information, the National Cyber Security Centre in the United Kingdom, the United States Computer Emergency Readiness Team and the Australian Cyber Security Center.
Hervé Debar has received funding from the European Commission (H2020 programme), the DGE (FUI, PIA) and the ANR. He is a member of Systématic (academic VP of the digital trust and security copil) and ECSO (member elected to the partnership board).