In 2017, Professor Hankin penned an excellent article on the Imperial Institute for Security Science & Technology (ISST) blog, where he discussed the subject of cyber-trust, cyber-metrics, and the gradual demise of passwords as a single authentication method.
An excellent article. I wholeheartedly concur with Professor Hankin that passwords, as a security authentication method, no longer address the security requirements for the modern era of distributed computing. Gone are the days of the standalone desktop PC in the corner of the office, where users just needed a few passwords.
The growth of social/professional media platforms, portals, and commercial sites has increased considerably in terms of numbers and complexity, alongside an exponential growth in the rate of IoT deployments. In 2017, predictions based upon some estimates indicated that Internet-connected devices were set to rise to more than 50bn by 2020.
The number of IoT devices is predicted to exponentially increase according to Statista: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
PETRAS, the Internet of Things (IoT) Research Hub is a consortium of eleven leading UK universities which will work together over the next three years to explore critical issues in privacy, ethics, trust, reliability, acceptability, and security.
Under the ‘Publications’ tab, the PETRAS site has published a series of ‘Little Books’ which address various IoT ‘themes’, an excellent resource for all things IoT.
Authentication methods are rapidly evolving and passwords, or rather encoded password hashes, will progressively play only a secondary role in the new ‘cyber-metrics’ paradigm discussed in Professor Hankins’s article.
The principal problem with passwords is that they are very personal. IT consumers have a love/hate relationship with passwords. Passwords give a nice warm fuzzy feeling of security. The puppy’s name, my child’s name, my football team, a favorite band…, the list is endless. My password is my home’. I choose my password, and I control where it should be applied, it is mine. All this with little realisation that those self-same passwords already exist within many brute force password lists and are not secure in the slightest.
Case in point, a 55-character password was cracked using HashCat with just such a brute force password list. The password in question was ‘Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1’, a quote from an HP Lovecraft story. Please see the below link if you are interested.
What this demonstrates is that password length is no longer as important as it used to be; instead, it is what the user does with the password characters available. Password length, while still significant, should not be just a combination of easily remembered words or phrases, but instead, it should be an inter-mix of character, numbers and punctuation symbols.
For example, instead of ‘Arsenal123’ or ‘ArsenalRules123’we could have ‘Ars3nal_Rul3s_F0r3v3r’, which is still insecure as it exists on several password lists. Much less crackable, we could have ‘_ArsenalMug+Tea&Biscuits123’.
Better yet, for the polyglots, a mix of languages aids the complexity enormously, e.g. ‘SweetTea, in itself a very poor password might become ‘D0lce&T3a’ or ‘m3lysiHerbatka’ or D0lce_caj. The possibilities are endless.
The bitter truth is that password randomness/unpredictability now trumps both password length and password complexity. The problem is that we, as IT consumers, have always been told to rely on password length. As time progressed, password complexity was deemed sufficient, and now both length and complexity are required at the corporate level. Introducing and getting used to the new concept of ‘randomness’ which, as a property, is difficult to work with, challenging to remember, and will take time. Technology can help in the form of password management software packages like DashLane, PasswordBoss, LogMeOnce, and stickyPassword.
Professor Hankin makes two other excellent and highly relevant points, namely the frequent lack of separation between ‘consumer’ devices and ‘corporate’ operational systems, a common trait in the latest ‘bring your own device’ BYOD trend and the convergence of IT with the control systems built into our critical infrastructure and industrial processes. Such traversal attack-vectors are realisable by hackers in part due to programmers and developers having a poor understanding of security, and partly because implementing said security costs both time and money.