TO: IS390
FROM: Samuel Stageberg
RE: Password Authentication
DATE: 5/14/2017
Password authentication systems have some serious issues that need to be addressed, especially in business and professional circumstances. Weak passwords, hash algorithms, and other advances in password cracking technology have been making password authentication weaker over time, a trend that will likely continue. This needs to be addressed at two levels, the authentication systems needs to be robust in its handling of passwords, and the users themselves need to consider how their password choices lead to vulnerabilities in the system.
Before going into specifics it will be helpful to go into an overview of how password authentication is commonly implemented. The user creates a password that satisfies any existing password creation policies. This password is then salted and hashed before being stored in a database. Any time the user needs to authenticate they send their password to the server where it is salted and hashed, and compared to the stored hash.
At the back end, commonly the server, implementing a strong version of password authentication that will be resistant to attacks will require a few simple but critically important tasks. First, implement some sort of limit that will lock out or delay anyone who tries and fails to authenticate after a number of tries. This will ensure that active brute force attacks that directly attack the systems authentication will fail. Second, the hashing algorithms need to be configured to be as costly as is reasonable. The more expensive the hash is to compute the less effective attacks that target the actual database information will be.
From the users perspective, increasing the security of password authentication will require them to actively make better decisions about what passwords they choose to use. As real world password lists become more available attacks that utilize this data will get smarter and quicker. Generating dictionaries that are specific to certain individuals and organizations will also become more mainstream, as password attackers move to craft even more specialized attacks. This can be combated by implementations of clever password generating rules, such as using long password phrases, or by using password managers that require the user to only remember a single strong password.
Password authentication is here to stay, and we need to ensure that any system we develop treats passwords securely. No system can be 100% secure or resistant, but being ahead of the curve will immensely reduce the likelihood of becoming the victim of an attack.
Feel free to comment here with anything you wish to discuss.
For further reading:
- Measuring effect of password complexity policies
- Password Memorability and Security: Empirical Results
- Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
- Passwords and the Evolution of Imperfect Authentication.
- Password Managers: Attacks and Defenses
- Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware
No comments:
Post a Comment