The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.
The Coalfire Blog
Creative Ideas for Replacing Passwords
March 08, 2013, Mike Weber, Vice President, Coalfire Labs
Passwords have been the de facto manner of providing security for IT systems. They’ve got a bad reputation, but it’s not the passwords themselves that deserve the reputation – it’s the individuals using them and the weak standards to which these passwords are managed. In fact, a password system implemented in a secure manner – long and complex passwords that change periodically – can be (virtually) uncrackable. However, a typical user isn’t apt to embrace a system that requires 15 characters or more (including numbers, upper and lower case, and special characters) and needs to change every two to four weeks. The primary weakness in password systems is that they can be cracked. Cracking passwords requires time and computing power – the best way to combat this is to use a password that takes a very long time to crack. Typically, that’s by using a password system that enforces controls such as a minimum of 15 characters with special characters and numbers and changes every 15-30 days. Unfortunately, human beings don’t handle these types of solutions very well at all.
In regards to replacing passwords, there are many alternate methods of authenticating that are currently available such as, certificate-based authentication, biometrics such as fingerprint scanners, and graphical passwords. You may have even seen the new Windows Surface television ads with the “Picture password”, which is an example of a new technology being used to combat the inherent vulnerabilities us humans have in a passwords system. All of these solutions have one thing in common: this is only one discrete input being used to validate the user. For example, a certificate – or public and private keys - is nothing more than very, very long strings of characters. This is a gross simplification, but it stands for all of these solutions. The biometric solutions do the same – they use a binary image and evaluate specific characteristics, sending it through an algorithm that represents your fingerprint. And finally there’s the picture password; this is quite similar in nature to handwriting recognition, but in this case the user has to ‘draw’ a character of their own – which is processed and stored (cryptographically, I’m sure) and used as the comparison to the image a user draws the next time they log in. These solutions use a LOT of data to create this “password” and have made it easy for a human to do by providing a file for certificates, a imaging device for biometrics, and the touchscreen (or mouse movement) for the picture passwords.
My personal favorite for replacing passwords is the “passphrase”. The passphrase is a “sentence” or other very long string of data used as a password. Like “The quick brown fox jumped over the lazy dog” – this becomes a 44 character password. Passwords of this length are of such a length that they can’t be cracked using today’s technology within a timeframe during which they’ll still be useful. These passphrases are also easy for a user to remember – a song lyric, quotes from your favorite author, or other things that are significant to the user.
Going beyond that, two factor authentication is even better. By combining a typical password system with a “one-time password” that is time-synchronized with the resource you’re trying to access. Typically these passwords are displayed on a small device that will change every minute or so. Even if a password is cracked, without that one-time password, the cracked password is useless.
<< Go Back
Blog post currently doesn't have any comments.