Wednesday, August 14, 2013

Solutions for when passwords are not strong or secure enough alone

For computer security, username and passwords are two fundamental pillars that we rely on. However, this simple scheme is also inherently flawed due to the human nature of wanting to choose short and easy passwords that are easily memorable. Experience has shown that forcing users to choose super long passwords is not very successful as the users tend to either forget or to write the password down somewhere in plain text. In this article, solutions for when passwords alone are simply not secure enough will be discussed.

Security login user name passwordMany of us store and upload more and more personal data on various cloud servers. For example, most of us use some kind of web mail service and many of us also use some kind of cloud storage such as Dropbox or Google Drive. Clearly, as we are connected to the internet more and more often, the data that we choose to store in the cloud will also increase rapidly.

In most cases, the only thing that protects our personal data from being accessed by the rest of the world revolves around something as simple as a string of letters, numbers and symbols, known as a password. The users who value security may choose their passwords to be 16 characters long while for the majority of us, the passwords are significantly shorter, perhaps only 6 characters long. In some cases, the worst short passwords are also derived from the personal life of the user, making the passwords even less secure.

Super long passwords is not always equal to high security

One may ask the question as of why the services handling sensitive information simply do not force everyone to use super long passwords, for example, 16 characters. While indeed, it is practically impossible to crack such a long password through means of brute forcing, humans have difficulties memorizing and handling such long passwords. In addition, as we are to use different passwords for different services, it quickly becomes impossible to remember a large number of very long passwords in our minds.

Therefore, by forcing very long passwords onto users, the results could very well be counterproductive as the users will have to write down the passwords or in some other form store the passwords in clear text or other easily accessible forms. If the users do this and a hacker gets a hold of the password stash, it would be the same as someone getting the master key to all of your properties and the damage will immediately become severe.

Therefore, current solutions to enhance security do not rely on making very long passwords, but use other approaches instead.

Security enhancing login credential solutions

There are many different companies and services being offered to enhance the security of various user accounts. However, history and experience have shown some to be more feasible and in particular more acceptable by the user than others. In the following, 3 such solutions are described.

2-step verification

Google 2 step verification setup
2-step verification setup for Google products to enhance security.

The 2-step verification method is probably the most straight forward solution to implement for most companies and for this reason it is also available on virtually all popular cloud services such as, Google Products (e.g., Gmail & Calendar, Drive), Microsoft Outlook, Facebook and Dropbox. The basic idea is very easy. In order to log in, the user supplies their username and password just as usual. However, after supplying the correct login credentials, a second step is required. Typically, this step involves another code that the user has to input in order to login that is delivered to the users, for example, through a text message to their cell phone or through the use of a smartphone app.

By using 2-step verification, the user essentially requires an intruder to both figure out his or her username and password but also have access to their phone, something which of course makes the whole process much more secure. In addition, the method is not limited to phones, and can also be implemented on special hardware security dongles with the purpose of simply receiving codes from login servers, making the solution even more difficult to crack.

Password managers

Best password managers safe
Password managers are like safes and
can be good if the master password is secure.
Password managers have the purpose of centralizing and consolidating the handling of passwords for the users. Password managers are simply a piece of software that the user installs on their computers. In the software, the user stores all passwords for various services they use and secures the passwords using one master key password. The idea is to allow the users to be able to use very long and strong passwords for their online services but strip the users of the need to memorize each of the cryptic passwords.

Clearly, the use of password managers can be dangerous for two reasons. The first obvious reason is that if the master key password is not secure enough, a hacker could very well be able to crack that password and gain immediate access to all the services that the user uses.

The second reason is that the user should really only install fully trusted password managers. It is not at all impossible to find fake password managers which appear to work, but in essence actually transmits the stored passwords to a hacker or malicious individual. In addition, the password managers themselves need to be secure and robust enough such that they cannot be exploited and "tricked" to reveal their database of stored passwords.

A short (and very incomplete) list of trusted and established password managers is given below.

Best recommended password managers

  1. Keepass: Available for Windows, Mac OS X, Linux, iOS, Android, Symbian, Windows Phone, and Blackberry. Open source and completely free. [Highly recommended password manager]
  2. 1Password: Available for Windows, Mac OS X, iOS, and Android. 30-days trial, single license fee is $49.99.
  3. Roboform:  Available for Windows, Mac OS X, iOS, and Android. Free to use for up to 10 logins and $29.95 for full version.
  4. Lastpass: Available for Windows, Mac OS X, iOS, Android, Symbian, Windows Phone, and Blackberry. Free to use with optional upgrade to Premium".

Hardware solutions

Hardware security key solutions
Hardware solutions can be thought as a physical
key that is required to log in to a service.
Hardware solutions refer to hardware specifically designed for the sole purpose of identification during the log in process. There are a wide variety of dedicated hardware solutions and they are considered to be among the most secure way to handle logins. In addition, the hardware solutions may also be used together with a 2-step verification process, thus enhancing their security even more. Common hardware solutions include, USB dongle key, USB card readers and password dongles that are synchronized to the server of use.

The main drawback, however, with hardware solutions is that they are not usually easily accessible for the regular consumers due to technical complexity and cost.

Conclusions and summary of password security

While there are many different solutions around to increase the security of passwords. In the end, the most important is to enlighten users about security. To be quite frank, while many solutions do offer strong and secure logins, to most people, simply using slightly longer passwords mixed with capital letters, numbers and symbols, is more than sufficient. At the end of the day, there is no complete fool proof solution and if the user is careless to begin with when it comes to login credentials, then investing and implementing additional security measures is truly a waste of time and money.

No comments:

Post a Comment