Evolving beyond password complexity as an identity strategy

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Troy Hunt, founder of Have I Been Pwned, information security author, and instructor at Pluralsight. In this blog, Troy talks about the future of identity and shares strategies for protecting identities.

Natalia: What threats will be the most important to focus on in the next year?

Troy: We’re seeing more one-time password phishing. This is the value proposition of something like U2F, but how do we make phish-resilient authentication mechanisms? The other thing that’s particularly concerning is the rate of SIM card hijacking. It concerns me greatly that it seems to be so prevalent and that it’s so easy, almost by design, to port a SIM from one location to another. As an industry, we need to say, “Where is the level of identity assurance for a phone number?” Is it very weak or is it very strong, in which case telecommunications companies need legislation to change the ease with which stuff gets ported? Unless we can get people on the same page, we’re going to keep having these problems.

Natalia: What should IT professionals prioritize?

Troy: I would really like IT professionals to better understand the way humans interact with systems. Everyone says, “Just force people to use two-factor authentication.” Do you still want customers? I think every IT professional should have to go through two-factor authentication enrollment with my parents. Everyone should have to learn what it’s like to take non-technical people and try and get some of these things working for them. We can’t just look at these things in a vacuum.

I think U2F is a brilliant technical solution, but it is such an inherently human-flawed mechanism for many reasons. I have enough trouble trying to get my parents to use SMS-based two-factor authentication. Imagine if I had to tell my parents, “You’ve now got this little USB-looking thing, and you need to always have it with you in case you need to log into your device.” We have so many good technical solutions that come at the cost of being usable for most humans, myself included on many occasions.

I’d like us to have a much better understanding of that, which also speaks to solutions like passwordless authentication. We need to give more credit to what passwords in the traditional sense do extremely well. The thing that passwords do better than just about everything else is that everyone knows how to use them. It’s like using your date of birth for knowledge-based authentication. It sucks, but every single person knows how to use it, and that makes a really big difference.

Natalia: What’s the use case for password managers?

Troy: Password managers are a way of storing one-time passcodes (OTPs), but it’s important to recognize that password managers are not just for passwords. I have my credit card details in there, and every time I go to pay at a store, I do the control backslash and automatically fill in the credit card details. I have other secrets in there, like my driver’s license and other data. In many ways, passwords are just one part of the password manager solution, but certainly, for the foreseeable future, we’re going to have passwords so there’s a strong use case for password managers.

Another use case is a family account. If my partner wants to log into our Netflix account, she has her own identity, but there’s one set of credentials. She asks, “Hey Troy, what’s the password for the Netflix account?” It’s a string of gobbledygook. How am I going to get her the password? Do I message it to her, because then it’s in the thread in my unencrypted SMS? But if you have a password manager where you have shared vaults, you can just drop it in the shared vault. That’s another good example of where a password manager is more than just me trying to remember my secrets.

Natalia: Since we’re likely to continue to use passwords, what controls should we put in place to protect them?

Troy: Ultimately, this password is the key to your identity. We’ve had passwords on computer systems for about 60 years and the era in which they were born was so simple. It was before the internet and before social media and before all these other ways we can lose or disclose them. Over time, we started saying, “Let’s have password complexity rules. More entropy. More entropy equals stronger.”

When I used to be able to travel and speak to an audience, I’d talk about passwords and password complexity. I’d say, “Imagine you want to have a password that is the word “password”, and a website says you have to have at least one uppercase character. What do you do? You capitalize the first letter.” Everyone in the audience is laughing nervously and looking at me like, “Oh, you figured it out?” I’d tell them, “You have to have a number. What do you do? You put a one at the end.” And there’s the same nervous laughter. There is this human side that works in complete parallel to the whole mathematics of entropy and having more character types and longer passwords.

As we’ve progressed, we’ve started to recognize that arbitrary password composition criteria is not a very good thing to do, and we’re looking at whether we can have lists of banned passwords, like passwords from previous data breach corpuses. Are you using a password that is already out there floating around in data breaches? Maybe we will get to a time where this won’t be necessary because we will be truly passwordless. In the interim, I think that having a better understanding of what makes a bad password is important and educating users on this first and foremost.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.