Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
While passwords have got a lot of bad press recently thanks to some massive security breaches, the truth is that as an authentication system they can provide a very high level of security. Perhaps more important, a password is cheap to issue compared to two factor authentication systems that rely on hardware tokens or biometric systems that use fingerprint or voice recognition.
"The entropy of a complex password is uncrackable," points out Karsten Nohl, a cryptographer and security researcher at SRLabs,a German hacking think tank. Nohl specializes in testing security assumptions in proprietary systems and, typically, breaking them.
The problem with a complex password - one that is made up of perhaps 15 or more upper and lower case characters, digits and special characters - is that it is almost impossible for users to remember. Thus many people use simple passwords like "monkey" that offer almost no security at all.
As a result, some companies attempt to provide greater security using two factor authentication that employs a hardware token. These are inconvenient, however, as they require the hardware token to be available every time the user wants to log on and they can easily be lost or stolen.
Biometric Security Options
A more promising solution - on the face of it, at least - is to use a biometric authentication system. These offer the advantage of convenience; you always have your voice or fingerprints or other biometric with you. Fingerprint readers in particular are becoming cheap, and are increasingly found on laptops and smartphones such as Apple's iPhone.
But how secure are they? Most password-related security breaches happen when hackers manage to steal an organization's password file, which contains hashes of each user's password. The only way to get the passwords from the hashes is by using a brute force attack, which will yield the simple passwords, but not the complex ones.
The problem with a biometric like a fingerprint is that a fingerprint reader - especially more affordable ones like the one on iPhones- digitizes a limited amount of information about the location of fingerprint features like bifurcations and where they are on a grid. This information can be hashed and stored in a password file, just like the hash of a password. But it can also be brute forced by an attacker, because most fingerprint information is the equivalent of a not very complex password, according to Nohl.
"The entropy of a complex password is uncrackable, and a fingerprint can't be better than that. It may be better than a simple password, but not better than a strong one," he says.
Another often-cited problem with fingerprints is that you only have one set of fingers. You can change your password if it gets compromised, but you can't change your fingerprints.
In theory that is not a problem because a company can "salt" the digitized fingerprint information by combining it with a random string before hashing it. That way, if the password file is compromised then new hashes can be generated with a different salt - effectively changing the passwords for all users.
Yet many companies don't do this, says. Even worse, they actually store the fingerprint information in a form that is close to the original fingerprints, with no hashing involved - perhaps so that users can log on using different fingerprint readers.
"Some systems store the exact image that the reader captures when it reads a finger," he says. "So all the information you need is right there."
Fooling Fingerprint Readers
With this information (which can be acquired in other ways too, such as taking a photograph of a fingerprint left on almost any surface) hackers can impersonate the legitimate user by making a copy of their fingerprint out of a suitable material and using the copy to fool the fingerprint reader.
This sounds like James Bond stuff, but Nohl has demonstrated that it is actually not that difficult to do. Many fingerprint reader vendors boast that their equipment includes "live detection" technology to ensure the finger being scrutinized is a real, living one and not an imitation one, but Nohl says these rely on measuring the electrical resistance or impedance of the finger being read.
"This technology is easily circumvented by spraying the surface of a false fingerprint with graphite," he says. "This gives it a similar property to real skin."
Some readers also test for moisture. But again, Nohl says it is trivial to defeat these tests. "All you have to do is take a false finger and breath over it and that works to overcome moisture testing," Nohl says. "You can fool some readers with a printed photo of a finger like this."
While all of this makes it sound as if fingerprint recognition is worthless, Nohl says that this is not the case. It is simply that it is very far from perfect.
"Fingerprint readers aren't as secure as a complex password, but it may be more secure for you if you don't want to use a complex password for each website you visit. That is impractical, while a fingerprint reader is practical," he says. "That means that, for most people, fingerprint authentication is the most secure system that they are capable of using."
Voice Recognition 'Trivial to Hack'
Instead of fingerprint biometrics, another possible password alternative is voice recognition. A number of financial institutions have implemented this at their call centers to authenticate customers over the phone. It's convenient as it doesn't require any additional equipment apart from the microphone in the phone, but how secure is it?
Once again, the answer is "not very secure," according to Nohl. "Voice recognition systems are trivial to hack as there isn't enough entropy in a voice," he says.
"You can make any voice sound like any other - there isn't anything that is even remotely hacker-resistant," he adds.
Promise of Continuous Authentication
A more promising password alternative is a biometric authentication solution based on "continuous authentication." These systems use a combination of biometrics such as facial and voice recognition, typing patterns, mouse manipulation speed or touch screen habits to check that a user's characteristics match the profile of the user that he purports to be.
Rather than authentication being a one-off process, the system continues to monitor the user to get a more accurate picture of the user, and whether the person using the system at a given time is the same as the person who originally logged on.
"This is a form of behavioral biometric and it is very far from being a gimmick," says Ant Allan, an analyst at Gartner. "These sorts of system are gaining traction in the market. Continuous authentication gives you evidence that it is still the original user at any given time, and allows you to authenticate a user with increased confidence."
While financial institutions may well end up deploying these sorts of systems more widely, the truth is that for many online retailers and other organization the cost of deploying anything more than a password system is too expensive to justify, and a password system is "good enough."
"When you look at the cost-to-security ratio, you will find that it is hard to find anything at the moment that will offer a higher level of security than a password for the same cost," says Andras Cser, a security analyst at Forrester Research.
That means, for the foreseeable future anyway, passwords are unlikely to go away.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.ee