Passwords are today's keys

I’ve been thinking once again about how we go about identifying ourselves throughout the day. Or, to be more precise about it, how we go about authenticating our assertion of identity. For all the research and development that has gone into multi-factor identification, we seem to still be horribly reliant on username and password combinations in even critical systems. Much as I would like to pontificate on why we should change now, I know that the forces of inertia will keep things much as they are for the time being.

Which brings me to the point of this missive: password lockouts and other password management business. I was reading a very cogent article written by a friend of mine, Alec Muffett, on why “Three-Strikes” password security is not a very good idea, when it occurred to me how many best practices guides list this very control as “essential” in the world of corporate and government information security management policy.

I’d like to focus for a moment on just a couple of these points in the light of availability, because they’re on my mind:

• Minimum password complexity
• Account locking after a certain number of failed authentication attempts

Now, it’s worth recalling that one of the key precepts of computer systems is that the system should afford users a level of availability that is sufficient for the operating environment. However, I believe that these two bread-and-butter controls can so adversely affect availability as to be unusable in production environments.

Minimum password complexity stresses countering brute force attacks from password guessing and yet does not consider, in most cases, the limits of human memory. Who would want to try to even remember a random password? Instead, users write them down, which is a horrible breach of security in most settings.

While password techniques such as pronounceable passwords and passwords made up of natural language words strung together have been around for a while, the not-so-new innovation of using passphrases seems to be a superior alternative. In addition, recent experiences relating to modern web services show that graphical aids like “strength meters” and “password quality scores” can help users do the right thing without hitting them over the head with a stick.

Account locking is an invitation to denial of service attacks. Now, I feel pretty strongly about this, realizing of course that there are some operational environments where account locking is a must (such as in legacy systems where no brute force attack monitoring is possible).  However, in the general case account locking is a high cost operation that generates needless calls to software support centers. And from a technical perspective it is terrible, because modern authentication systems frequently use multiple authoritative databases against which to confirm credentials.  If the access credential data are, by dint of network architecture, stored in multiple locations, how is the system to keep an accurate track of how many times, and when, incorrect credentials were supplied?  Doing so would, in fact, fly in the face of the entire distributed nature of the system.

Which simply begs the question, why don’t we just move on to 2-factor authentication (2FA) everywhere?  It’s not a panacea, to be sure, but it’s a damn sight better than the state we’re in today.

I recommend you read Alec’s in-depth article on why many contemporary password management policies are flawed to the core.