0

During an intense shower thought train. I began to think about a hypothetical world where passwords were no longer a safe way of protecting systems. Edit: W̶h̶e̶t̶h̶e̶r̶ ̶c̶o̶m̶p̶u̶t̶e̶r̶s̶ ̶b̶e̶c̶a̶m̶e̶ ̶t̶o̶o̶ ̶p̶o̶w̶e̶r̶f̶u̶l̶ ̶a̶n̶d̶ ̶c̶o̶u̶l̶d̶ ̶b̶r̶u̶t̶e̶ ̶f̶o̶r̶c̶e̶ ̶a̶n̶y̶t̶h̶i̶n̶g̶,̶ ̶o̶r̶ ̶s̶o̶m̶e̶ ̶m̶a̶g̶i̶c̶ ̶p̶r̶o̶g̶r̶a̶m̶ ̶w̶a̶s̶ ̶r̶e̶l̶e̶a̶s̶e̶d̶ ̶d̶o̶e̶s̶n̶'̶t̶ ̶m̶a̶t̶t̶e̶r̶ ̶h̶e̶r̶e̶.̶ (Let's not assume anything other than the 'fact' that conventional passwords cannot be used to secure systems)

If passwords where out of the picture, how would the general public go about securing their computers and online accounts?

Alex Wilson
  • 31
  • 6
  • 3
    This is a very broad question with unclear requirements. Passwords are only one way of protecting accounts. But once you add in that "anything can be brute forced" then there is no way for anything to be secured. I think you might need to niche down your question a bit.\ – schroeder Jan 15 '19 at 09:33
  • 4
    *" Whether computers became too powerful and could brute force anything, or some magic program was released doesn't matter here."*. - Only it actually matters a lot. It is very unlikely that any change which makes passwords not secure anymore does not impact other technologies. Given that you don't really provide any indications what makes passwords obsolete you don't allow us to conclude what other technologies might be affected. This leaves no place for serious answers but only for wild speculations. I therefore propose to close this question. – Steffen Ullrich Jan 15 '19 at 11:15
  • Would it be a better question phrased as follows: “Taking into account all the defaults around password use to make authentication, what are better technics which can be adopted by the general public to be safely authenticated? Safely for their providers __and__ for them.” – dan Jan 15 '19 at 11:55
  • The mechanism that will remain secure no matter how much brute forcing technology advances is information theoretically secure encryption like one time pad. It's easy to see why one time pad remain secure from brute forcing, because with one time pad all possible plain text of the same length are possible, you can always find a key that will decrypt a file to any file. – Lie Ryan Jan 15 '19 at 12:08
  • On the bright side, a password doesn't make a system secure. In short, if we think and talk system security, there you go again, we need to create a mechanism where even if the security interface is visible to the outside world, it is still not useful, unless when used by the designated user. Hey! the truth is, no matter how secure a system may be, one day, it will be bypassed. – John Zenith Jan 15 '19 at 13:28
  • @schroeder Does this edit niche the question down enough? – Alex Wilson Jan 16 '19 at 13:31
  • @AlexWilson Unfortunately not really. A lot of *why* passwords are not deemed secure enough anymore, also influences the security of other authentication schemes. Storage or transmission are problems that are (for now) universal to the way we authenticate against a system. – Tom K. Jan 16 '19 at 13:57
  • @TomK. I think I understand why this question is fundamentally to broad for just one Q&A, thanks. Something like this sort of question would be better suited for a classroom or a course, or even for researchers. – Alex Wilson Jan 16 '19 at 14:45
  • I personally think you are touching interesting topics here. Maybe the question is better phrased like this: What are the pros and cons for other authentication schemes than password usage? (Something like that. Not sure if there is a duplicate though.) Final note: I would advise to ask a new question if you want to ask this. ;) – Tom K. Jan 16 '19 at 15:10

2 Answers2

4

We have no idea - yet.

Because passwords are insecure because of a combination of factors.

  1. People choose bad (with only X bits of entropy) passwords.
  2. Companies have bad password policy.
  3. Passwords are stored in plaintext.
  4. Password hashes are created with "bad" cryptographic hash functions.

All of these factors are theoretically "solvable".

  1. We could tell people to use stronger passwords.
  2. We could tell companies to have better password policies in place.
  3. We could theoretically fine companies that store passwords in plaintext or when they create "easy" to brute force password hashes.

We (and a lot of other people) have been doing this for a long time and nothing or maybe little has changed. So your question is absolutely valid and has been asked before many times. The problem is, nobody has a good solution yet.

Why is that?
There are several fundamental problems: creation, storage, recreation.

Every factor that is used for authentication a) has to be created by something or someone, b) has to be stored on the client side (to transmit it to the server) and server side (to prove that it is correct) and c) it has to be possible to recreate a new one if it is lost.

All "new" proposals have at least a weakness in one of these categories. Take biometrics for instance:

  1. creation: relatively easy, almost everybody has a fingerprint/veins/a face
  2. storage (client): easy, on your body
  3. storage (server): easy, either plaintext (several pictures are stored) or a hash is derived (both these solutions are suboptimal)
  4. recreation if lost on the server side: not possible

There are other fundamental problems like usability, factor reuse, privacy etc. You can take every new proposal that is in the following list and is the topic of authentication research today and it will fail to solve at least one of the named problems.

What other solutions are discussed?
These: More biometrics (heart rate, voice, walking pattern), n-factor authentication, OTP everywhere, web of trust-like schemes, trust score system (scary!) and others.

In conclusion: We do not know what will come next, but there is a lot of research going on, because not only scientists but also companies are getting tired with all the problems that good old passwords have.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • Biometrics, for the reasons you cite, should be considered as identifiers (like usernames), not authentifiers (like passwords). – A. Hersean Jan 15 '19 at 09:54
  • 1
    Well, the problem is, they are not considered as identifiers in the industry. <: – Tom K. Jan 15 '19 at 10:04
  • I would bet on OTP on an extermal USB key opened by a private key on an RFID under the skin (to avoid 2 of the major faults of biometrics). – dan Jan 15 '19 at 11:17
  • There is one more reason passwords are insecure: [return] 5. passwords are typed on keyboards which are managed by too weak OSes (caches not cleaned, key loggers, web browsers with caches not cleaned, hidden debugging functions…). – dan Jan 15 '19 at 11:44
2

There are a few options, depending on what level of "magic" we are talking about. Bear in mind that some things, like simple brute-force attacks, are still possible to protect against with password-based systems regardless of how fast the attacking system is, unless its attempts are indistinguishable from those of a real user's login attempts (and thus cannot be filtered out using CAPTCHAs, timing, IP blocks, etc.), and even then all they can do is force services to disable password login out of fear of denial-of-service attacks. My password for this site is sufficiently high-entropy that if it takes StackExchange's servers only one microsecond to verify it - which would imply terrible things about the quality of their password hashing - you still couldn't brute-force it this millennium.

Anyhow, a handful of approaches already sometimes used today, presented in no particular order:

  • TLS Client certificates: Established technology where, for each user, a server has a public key (generally generated by the client - that is, the user) stored in a certificate that identifies the user, the user has the corresponding private key, and in order to complete the TLS handshake the TLS client must prove to the server that it has the key to that cert (just as the server proves to the client that it has the key to its cert). Requires that the user distribute their keys to all of their devices, but in theory this is doable (all major mobile and desktop browsers already support this).
  • Other forms of public-key authentication: There exist systems, such as SSH, which use public-key cryptography in a manner similar to TLS with client certificates, but do not actually use TLS. The private keys (as with TLS private keys, actually) are usually encrypted with a key-derived password, but that is just to slow down an attacker if one manages to obtain the key; the key's primary protection is that you never, ever let anybody else see it or use it, and the encryption (and thus the password) are entirely optional.
  • FIDO U2F or similar: Using hardware "security keys" that communicate with your device over USB or NFC, combined with asymmetric encryption, you can provide evidence of your identity. While U2F is (as its name indicates) meant to be a second factor of authentication, there is also the WebAuthn standard, which grew from the same group and is implemented in some of the same hardware tokens available today, which is explicitly suitable for use as a single factor.
  • Smart Cards: These chip-on-a-card devices are already widely used for proving identity - cell phone SIM cards are compact Smart Cards, for example, as are the "chips" in chip-enhanced credit or debit cards - and have also been supported for logging into Windows (and probably other OSes) for over a decade.
  • Biometrics: While not ideal for protecting a secret (such as a disk encryption key) or for transmitting over a network, biometrics (most commonly fingerprints, but also things like iris scans) have been used for local authentication for decades, and most high-end laptops, tablets, and smartphones already support this.
  • Key file on portable media: For systems like disk encryption and whatnot where a securely-stored secret is needed, the main alternative to passwords is key files. A key file is just what it sounds like - a cryptographic key stored in a file on a flashdrive or similar devise - and to unlock a machine you plug in the drive. The drive is only plugged in while authenticating, and lives on your physical keychain along with your house key, etc. With mobile devices increasingly supporting USB mass storage through their charging ports (especially those that use USB-C), this is viable even for mobile devices.
CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 1
    Most of the methods above I don't consider to be better than passwords. Biometrics are a joke when it comes to bypassing them. – Overmind Jan 15 '19 at 09:56
  • Nobody asked about "better than" passwords, only about alternatives to them that allow authentication without relying on passwords at any step. Biometrics can also be made pretty secure, if the attacker is unable to access the system that verifies them (think a locked building with a fingerprint reader by the door but the "guts" all inside, rather than a PC where you could poke the HD or RAM directly) and there are sufficient "liveliness" tests that you can't practically clone them off a water glass or something, although it's true that most consumer systems aren't very secure today. – CBHacking Jan 15 '19 at 10:02