The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

Creative Ideas for Replacing Passwords

March 08, 2013, Mike Weber, Vice President, Coalfire Labs

Bookmark and Share

Mike Weber

Passwords have been the de facto manner of providing security for IT systems.  They’ve got a bad reputation, but it’s not the passwords themselves that deserve the reputation – it’s the individuals using them and the weak standards to which these passwords are managed.  In fact, a password system implemented in a secure manner – long and complex passwords that change periodically – can be (virtually) uncrackable.  However, a typical user isn’t apt to embrace a system that requires 15 characters or more (including numbers, upper and lower case, and special characters) and needs to change every two to four weeks.  The primary weakness in password systems is that they can be cracked.  Cracking passwords requires time and computing power – the best way to combat this is to use a password that takes a very long time to crack.  Typically, that’s by using a password system that enforces controls such as a minimum of 15 characters with special characters and numbers and changes every 15-30 days.  Unfortunately, human beings don’t handle these types of solutions very well at all.
In regards to replacing passwords, there are many alternate methods of authenticating that are currently available such as, certificate-based authentication, biometrics such as fingerprint scanners, and graphical passwords.  You may have even seen the new Windows Surface television ads with the “Picture password”, which is an example of a new technology being used to combat the inherent vulnerabilities us humans have in a passwords system.   All of these solutions have one thing in common:  this is only one discrete input being used to validate the user.  For example, a certificate – or public and private keys - is nothing more than very, very long strings of characters.  This is a gross simplification, but it stands for all of these solutions.  The biometric solutions do the same – they use a binary image and evaluate specific characteristics, sending it through an algorithm that represents your fingerprint.  And finally there’s the picture password; this is quite similar in nature to handwriting recognition, but in this case the user has to ‘draw’ a character of their own – which is processed and stored (cryptographically, I’m sure) and used as the comparison to the image a user draws the next time they log in.  These solutions use a LOT of data to create this “password” and have made it easy for a human to do by providing a file for certificates, a imaging device for biometrics, and the touchscreen (or mouse movement) for the picture passwords.

My personal favorite for replacing passwords is the “passphrase”.  The passphrase is a “sentence” or other very long string of data used as a password.  Like “The quick brown fox jumped over the lazy dog” – this becomes a 44 character password.  Passwords of this length are of such a length that they can’t be cracked using today’s technology within a timeframe during which they’ll still be useful.   These passphrases are also easy for a user to remember – a song lyric, quotes from your favorite author, or other things that are significant to the user. 

Going beyond that, two factor authentication is even better.  By combining a typical password system with a “one-time password” that is time-synchronized with the resource you’re trying to access.  Typically these passwords are displayed on a small device that will change every minute or so.  Even if a password is cracked, without that one-time password, the cracked password is useless.

  << Go Back

Blog post currently doesn't have any comments.

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS