Stop Trying To Kill The Password

I’ve seen a lot of reports in the last year that have been prompted by the massive password dumps on major websites. The focus of these reports has been about ‘killing passwords’ and replacing them with new technology. The thing is, passwords are actually great, and they don’t need to go anywhere.

First of all, passwords simply aren’t going anywhere. You’re not going to reinvent every websites authentication – we can barely convince sites to stop storing in plaintext, or use something other than MD5, so you’re absolutely not going to convince anyone to change their entire authentication method from the ground up.

On top of that… there’s just nothing wrong with passwords. Passwords on their own are kind of awesome, and, if used properly, way beyond most attacks. If you were to come up with a completely random 16 character password you could rest assured for the next wonderful couple hundred million years of your life you wouldn’t have to worry about anyone bruteforcing it.

The problem is that remembering something like L10F!E4d1I4U8Nhr is difficult, and remembering a unique password for every site is even harder, given that most people have at least a dozen websites that they log into.

So should we dump the password? Definitely not. We should instead move to password management systems, like LastPass, and implement two-factor auth on critical websites. This should have a very small effect on usability while having a very significant effect on security.

With a password manager like LastPass you don’t have to remember any of your passwords, so there’s no reason for you to use the same password twice, or use something easy to remember – you can very easily use 16 character random passwords for every site you visit. The only password you have to remember is your master password, and that’s the ‘point of failure’ that needs to be addressed.

Addressing that master password security is actually not so difficult. LastPass deals with it in two ways.

1) PBKDF2 rounds make bruteforcing far less useful, with a default of 5,000, and an incredibly high maximum value of 256,000. That means every single password attempt will take ~5,000x as long as a single password attempt. You can raise this number significantly to make even weaker passwords way too difficult to bruteforce.

2) Two-Factor Authentication means that even if an attacker has compromised your password they still need access to a physical device that’s used for authentication, such as an Android device, or a piece of paper.

So bruteforcing the master password just isn’t practical anymore, if you use even a slightly strong password with PBKDF2 and 2FA.

It’s dead easy to use and you can access it anywhere with internet connection (or use the Android App, which is great) and it would solve users reusing passwords, users using weak passwords, and other issues.

Of course, websites themselves should always assume the worst. They should always use PBKDF2 or bcrypt, and websites that store critical information should use 2 Factor Auth as well. But, for the users end of things, a password manager solves most issues.

So rather than scrap the most basic authentication mechanism used everywhere, just harden it. It’s not difficult.

5 thoughts on “Stop Trying To Kill The Password

  1. Nice to hear your opinion on LastPass. I want to get a Yubikey also. The only problem I have with LastPass and the passwords, is I have over 400 sites where I should change the password, but that’s a lot of work! I do use two factor authentication now though.

    • Yeah, I have a lot of weak passwords left, but only on sites I rarely/ never use. I used to have more but over time I’ve gone through the list and changed the passwords.

  2. The problem with PBKDF2 is that it can be parallelized in hardware, which makes it less secure against organizations capable of building specialized set-ups (read: NSA and Botnets). I wish most security products would use scrypt or bcrypt. These are more secure key derivation functions which are harder or impossible to parallelize in hardware. It would render Radeon GPU farms nearly worthless. KeePass, LastPass, Truecrypt, etc. use PBKDF2 or a derivation thereof. Thankfully SpiderOak uses bcrypt. Props to them!

    • This is true. But at 256,000 rounds (the max for LastPass) there’s a significant hit, because it’s so computationally hard. The nice thing about bcrypt and scrypt is that they make GPUs less useful due to their small L caches and memory. But PBKDF2 is still computationally hard, it just “fits” onto GPUs.

Leave a Reply

Your email address will not be published. Required fields are marked *