Last year Microsoft Research posted a great paper on passwords in an attempt to answer the question, “After 40 years of security research, why is the password still dominant?” Surprisingly, most security people haven’t read it. Not hard to guess why—it’s a dense 15-page academic paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” We’ve decided to post a summary of the paper, with some of our own thoughts, for the betterment of security for all.
The goal of the researchers was to provide a framework for evaluating alternative authentication methods like multi-factor, biometrics, and federated SSO. Some of the options they reviewed are wildly impractical for most customer facing web applications (i.e., paper-based one time passwords) but overall the framework is very useful. After 40 years of security research, passwords still doggedly persist as the de facto standard for application authentication. Why? Because while there are more secure alternatives, like multi-factor authentication, nothing comes close to passwords when you account for usability and ease of deployment.
First, the pros and cons of passwords. Users hate them. They’re hard to remember, especially as common methods of enforcement come into play (thank you, XKCD). Now that users often have 25 accounts or more on average, multiple passwords are really hard to keep track of. But aside from recall and user loathing, passwords rate high in usability – users understand what they are and how to use them, and can quickly type them in during login. They don’t have to carry around a phone or other device to use their password. Passwords are compatible with every browser, programming language, web framework and device. And, passwords are easy to recover if they’re forgotten or stolen.
On the downside, Malware like keyloggers can easily record them, and passwords (because of the user) are particularly weak to phishing attacks. However, if implemented correctly, password stores are actually quite hard to steal. There’s no physical object to be stolen, and if a developer and the IT organization have properly deployed a secure password infrastructure, it’s a lot of work for an attacker to break in and steal them wholesale. Passwords are subject to dictionary attacks, but the computing resources required to break into a best-practice user management system are significant.
Where passwords really shine is the ease with which a developer can deploy them. Correctly building password infrastructure can initially be time-consuming, expensive and difficult, but the marginal cost of adding a new user is effectively $0. With open source libraries like OmniAuth and AllAuth, you can get the bare bones of authentication management, and with services like Stormpath, you can have best-practice authentication and password security in minutes.
The real challenge with passwords is that they are often poorly implemented. The Microsoft paper purposely disregards poor implementations, but that’s the key issue. The reason that many are calling for a new authentication standard isn’t because passwords are inherently unsafe, it’s because they are typically implemented poorly. Microsoft’s comparison of schemes assumes a correct deployment, but that’s just not the reality that users and developers operate in.
Today, over 50% of web applications are storing passwords in plaintext and/or authenticating over unencrypted HTTP. Even when the passwords are secured, very few follow OWASP standards for complexity and even fewer are using the secure hashing algorithms (looking at you LinkedIn and Evernote). And environments in which the passwords are stored are quickly insecure, which many operating systems and databases out of date on security patches or running with default passwords. In addition to securing the passwords themselves, common processes like database backups and password reset workflows have opened the door to major breaches.
Many security researchers look at the lack of innovation in password security, the high-profile hacks, and the complaints from users and conclude, “we must quest for a new authentication method.” While we agree additional layers of security – like multi-factor authentication – will make systems more secure, positing the death of a pervasive, low-cost, useable technology is foolhardy. Instead, we should be focusing on making basic user security an expected standard for the companies who hold our data, and making sure that developers have the tools to implement security the right way, easily.