Passwords are antiquated and insecure. It’s time to eliminate them altogether. Experts from FIDO explain how to enable authentication without passwords.
The original version of this post was published in Forbes .
Last week it wasn’t just, as has become depressingly common, “another day, another data breach.” It was breaches that generated debates over passwords. Which provided yet more evidence that it is past time to make them extinct―since they make all of us users an endangered species.The problems with passwords
The first came courtesy of Quora, probably the most popular Q&A site on the web. The company posted a notice of a “compromise” that affected more than 100 million registered users―an estimated third of its monthly user base.
As CEO Adam D’Angelo put it, “We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party.”
The other came from Citrix Systems, which forced a password reset for users of its ShareFile content collaboration service to head off what company CISO Stan Black said was not a breach of ShareFile itself, but evidence of “credential stuffing,” where hackers who have stolen emails or passwords through other breaches try to use those credentials on other sites.
Which should never happen, of course, since we are all told constantly never to use the same password for multiple sites. But, as we all know, it does happen since just about everybody does exactly that.
And it illustrates once again what numerous security experts have been saying for years: Passwords are a lousy―really lousy―way to secure anything online, especially when there are now alternatives that are much better and yes, even easier.Don’t use the same password on multiple sites
In the case of the Quora breach, much of the speculation was about the level of encryption for the passwords.
Multiple outlets reported that D’Angelo had first written in his blog post that the passwords were simply “hashed with a salt that varies for each user,” but after critics pointed out that a simple hash wouldn’t offer much protection, D’Angelo’s revised post said the passwords had been “hashed using bcrypt,” which would make cracking them much more difficult.
Still, D’Angelo noted that “it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”
In the case of Citrix, Black’s declaration that “We moved quickly and decisively to end (a credential-stuffing attack) for the benefit of our users,” along with a notice that the company will be “incorporating a regularly scheduled forced password reset into our normal operating procedures,” got some major blowback from users who weren’t feeling the benefit.
They noted that it is no longer considered best practice to change passwords for no reason other than that a few months have gone by.Just say no to forced password resets
In the comments section of Black’s post, one user wrote, “My password is securely stored in LastPass. It’s a 16-character indecipherable mass of gibberish that is unique to this site. Don’t punish me for the bad security practices of other users by forcing me to reset it on a regular basis.”
“Not to mention, forced password resets were deprecated as a best practice by NIST over two years ago.”
Indeed, that advice has been coming from more than NIST (National Institute of Standards and Technology). In March 2016, Lorrie Cranor, then chief technologist of the Federal Trade Commission (FTC), declared in a blog post that it was “time to rethink mandatory password changes .”
And security guru, author, blogger, and CTO of IBM Resilient Systems Bruce Schneier took extreme issue with a recent column in USA Today that recommended changing passwords every six months.
“No, no no―a thousand times no,” he wrote on his blog .
The reason? As experts have been saying for years, when people are forced to change their passwords regularly, they tend to use weaker ones. They make small changes to the old ones, which ends up making security weaker, not stronger.
But such squabbles wouldn’t be necessary if we weren’t using an authentication method that is demonstrably broken. Which is why numerous experts have called for eliminating passwords―the FIDO (Fast IDentity Online) Alliance has been promoting that since 2012.Passwords are not meant for modern society
Phil Dunkelberger, CEO of Nok Nok Labs and a FIDO member, has said more than once that the username and password paradigm “was never designed for, and is inherently incapable of addressing, the use cases of modern society.”
Not just for technological reasons, of course. Users frequently make it ridiculously easy for attackers. As Nabil Hannan, managing principal at Synopsys, put it, passwords need to be obsolete because “they tend to be pretty weak or predictable, and people have a tendency to reuse the same password across different applications.”
And Brett McDowell, FIDO’s executive director, said even “strong passwords”―a phrase he labels an oxymoron―are no better, because “as long as the password is the key to get us into our accounts, users will be tricked into giving that password to the wrong party.”
Indeed, of the three most common authentication factors―something you know, something you have, and something you are―the weakest is something you know, since an effective phishing attack can trick a user into giving it away.Authentication without passwords
McDowell said even one-time passcodes (OTP) are failing “because they can simply be given to a remote attacker as easily as a password.”
He said there is now a move to a fourth factor―behavioral authentication or “something you do”―because many companies “know they have to protect themselves from users who already have the correct passwords to get into their accounts.”
The fundamental problem, he said, is an authentication system based on “shared secrets,” where things like passwords are known by both parties of a transaction.
The solution, he said, is a system in which a user’s device “creates and uses cryptographic private keys as your new account credentials and securely stores them to your personal devic