Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Your passwordless future: Make it sooner rather than later

Richi Jennings Your humble blogwatcher, dba RJA

Recent research reminds us that managing unique passwords is hard. For sure, you’re more than capable of doing it, but for the vast majority of “normal” users, it’s basically impossible.

So use a password manager? Nope; too nerdy.

Or 2FA? Anything other than SMS is too complicated, and SMS identity is horribly insecure.

What about biometrics? I’ll come over there and chop off your fingers for asking all these dumb questions.

Perhaps the future is passwordless. In this week’s Security Blogwatch, we hope against hope.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ^Z.

It’s a kind of magic

What’s the craic? Catalin Cimpanu reports—After a breach, users rarely change their passwords, study finds:

Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University's Security and Privacy Institute. The study … was not based on survey data, but on actual browser traffic.

The study shows that users still lack the education needed in choosing better or unique passwords. Researchers argue that a lot of the blame also resides with the hacked services, which "almost never tell people to reset their similar - or identical - passwords on other accounts."

The study, while small in scale [is] more accurate in representing real-world user practices when it comes to user behavior … as it's based on actual browsing data and traffic rather than survey responses that may sometimes be inaccurate or subjective.

And Daniel Tkacik adds … and when they do, they’re often weaker:

Have any of your username / password combinations been stolen during any of the many data breaches in recent years? Chances are, they probably have, and it's also likely you didn't take the proper precaution of changing your password to a more secure one.

Those are the findings in a recent study out of Carnegie Mellon. … To reach their findings, the authors of the study observed the security practices of 249 willing participants.

One of the breaches they focused on was the Yahoo breach that occurred in 2017, in which every single Yahoo account–all 3 billion of them–was hacked. [Only] one in three users affected by the breach changed their passwords. … To make things worse, users' new passwords were overall more similar to passwords they use [elsewhere].

The researchers recommend that companies take a more direct approach towards their customers who are affected by breaches.

Such as? Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia paper over the cracks—Do People Change Their Passwords After a Breach?

Potential mitigating efforts could be to integrate password-reuse trackers within tools that people may already use and trust to store their passwords. … Password managers, including those built into web browsers, could go further and more actively discourage password reuse.

Overall, our findings suggest that password breach notifications are failing dramatically, both at causing users to take action [let alone] constructive action. … Regulators should take note of the ineffectiveness or absence of breach notifications and impose requirements on companies to implement better practices. … Regulators should also require that companies force password resets.

From a preventative standpoint, regulators could incentivize companies to use an authentication method other than passwords.

Other than passwords? Nick agrees:

This exemplifies the need to change to a system other than user-generated passwords. It seems to be in that category of article that essentially says, "There's a problem with humans. We need to change human nature!"

Any behavior that widespread isn't going to be fixed by education, it requires an engineering control.

Okay, but specifically? Sean Li wants to End the Era of Passwords:

Developers can serve a magic link sign up or login experience, where users can authenticate by simply clicking on an email link. Companies like Slack, Medium, and Substack have been known for their easy user onboarding using magic links.

Properly managing user credentials such as passwords, requires a tremendous amount of resources. Weak passwords actually account for 81% of all security breaches, since over 59% of people reuse their passwords everywhere. … About half a million passwords are leaked per year.

Once hashed passwords are stolen, hackers can direct immense distributed computing resources at them to attempt hundreds of billions of password combinations per second. … In a matter of minutes, each recovered password can expose other passwords used by the same user in other applications, such as bank accounts.

Passwords are a significant source of onboarding and conversion funnel friction. … Removing passwords reduces the number of steps for users to sign up for an application. This has the potential to increase conversion rates by 54%.

The future is magic … passwordless is inevitable. … By delegating authentication to a user’s email, mobile, or hardware device, users no longer have to wrestle with remembering passwords for the ever-increasing number of services that they interact with.

Or there’s this idea, from MRX:

I strongly believe that WebAuthn is the way to go for website authentication. This standard uses public-key crypto to authenticate, so the website/service provider has little responsibility over the Public Keys they get. An attacker does not benefit from them.

The Private Key is saved on people's local devices or on dedicated, more trustworthy hardware solutions. Of course people are still responsible for their stuff, but the standard avoids services specific secrets to minimise responsibility and obtrusiveness. And service providers cannot screw up with user secrets anymore.

Or get a password manager? eepok says NO:

Are we surprised? They're humans. Very busy humans. With 40 different password-protected systems to access on a regular basis.

So you'll say, "Get a password manager," which sounds fine to we nerds, but actually is just another layer of complexity across all the systems for the common person.

But NaderZaveri wonders if we’re missing the point:

This is not on the users. It’s on the organization to force a password reset.

Whenever I am performing an Incident Response … one of the first orders of business is to reset all compromised accounts, and dependent on the level of access the attacker had, then we request the organization to force a password reset on all users.

Hmmm. Interesting point. Rick Schumann asks—Does it really matter that much?:

You can change your passwords all you want but if the security of the systems your passwords exist on is ****** to start with, they'll just waltz right back in at some later time and get your password again anyway. … From the literally daily reports of data breaches it seems that anything and everything on the Internet is open season to any and all hackers because apparently all security everywhere is ******.

And Mrhiddenlotus is even more cynical:

LOL, this goes deeper than 99% of users even go. Most of them never know that there was a breach—or what that even means.

Meanwhile, count on PPH to make you think:

My bank has been breached a dozen times. I'm up to 'password13' now.

The moral of the story?

  • Test passwords against existing breaches.
  • Make a plan of what to do if you get breached.
  • Consider switching to magic/passwordless authentication.

And finally

Oh noes!

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Source: Thomas Breher (Pixabay)

Keep learning

Read more articles about: SecurityIdentity & Access Management