Passwords are Broken

Password-Based Authentication is Broken

Feb 7, 2024

Abstract — This article covers password-based authentication, a cornerstone in the sphere of authentication and authorization. Despite the advent of numerous alternative methods, passwords remain a prevalent and sufficiently private solution to meet a wide array of security needs. This study provides a comprehensive analysis of various authentication schemes, discussing their respective advantages and drawbacks, as well as the often-observed misalignment between user interactions and password systems. We delve into the historical development of passwords and their seamless integration into everyday life, shedding light on the divergent views held by users and the technological industry at large. The discussion is structured by bifurcating password-based authentication into two distinct approaches: User-Centric Design, which prioritizes user experience and interaction, and Machine-Centric Protocol, which focuses on the technical and security aspects of authentication systems. The paper concludes by outlining strategies used to enhance the security and efficacy of password systems, thereby addressing the contemporary challenges faced in the realm of digital security.

Photo by Florian Berger on Unsplash

Key findings include the identification of three primary authentication categories: Knowledge-Based, Object-Based, and Characteristics-Based Authentication. Password-Based Authentication (PAS), a subset of Knowledge-Based Authentication, has significantly influenced internet security, despite its challenges. The paper discusses the human factor as a major security weakness and the need for more user-centered design approaches in system development.

Addressing password-related issues, the study suggests solutions like dynamic password policies, password meters, password managers, and two-factor authentication to improve security and usability. It also presents an in-depth analysis of password-based authentication schemes, dividing them into User-Centric and Machine-Centric approaches. The User-Centric Design Scheme proposes innovative solutions for enhancing password security and usability, while the Machine-Centric Protocol Scheme explores advanced authentication methods, including one-time passwords and challenge-response mechanisms.

We advocate for a shift in focus towards efficient user-centric mechanisms, protocols, and frameworks to balance security and usability in password-based authentication systems. It calls for future research to emphasize system design goals that cater to both efficiency and effectiveness, moving beyond conventional problem-solving approaches.

Index Terms — Password, Authentication, User Level Authentication, Machine Level Authentication, Cryptographic schemes.

Photo by rc.xyz NFT gallery on Unsplash

I. INTRODUCTION

The rising prevalence of identity theft has underscored the importance of robust and efficient authentication methods. Authentication plays a pivotal role in confirming an individual’s identity for access to system resources. Machine-to-machine authentication, which utilizes protocols like Secure Socket Layer (SSL), safeguards machines but falls short in preventing unauthorized human access. Thus, user authentication becomes essential, reinforced by stringent policies to deter identity theft. Systems implement various authentication techniques, each designed to secure authorized user access and block unauthorized entry.

Authentication techniques fall into three primary categories:

1. Knowledge-Based Authentication (KBA): This category encompasses methods like user IDs and passwords, passphrases, challenge questions, zero-knowledge protocols, and challenge-response protocols.

2. Object-Based Authentication (OBA): This type involves the physical possession or usage of devices such as smart cards and identity cards, which are prevalent in sectors like banking, transport, parking, and hospitality. The integration of additional security measures helps to reduce the risks associated with device loss or unauthorized use.

3. Characteristics-Based Authentication (CBA) or Biometrics: This method relies on unique personal attributes, including fingerprints, voice recognition, signature recognition, and facial recognition, for authentication.

Password-Based Authentication (PAS), a subset of Knowledge-Based Authentication, involves the use of secret passwords for system access. This form of authentication has been a major influence in the realm of internet security for the past five decades, despite its inherent security challenges. Efforts to enhance password security have primarily focused on improving its effectiveness. Researchers have proposed various schemes to increase efficiency, including modifications in computational times and enhanced security measures. For example, prolonging computation time has been recommended to counter brute force attacks. Innovations in password schemes include the application of continuous hash function iterations on the original master password.

One experts insightful remark, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand technology,” underscores a crucial cybersecurity challenge: the human factor is often the weakest link in security chains. Studies have revealed that users, whether consciously or unconsciously, often compromise security mechanisms such as password-based authentication. This issue is frequently attributed to both the implementation of these mechanisms and the users’ comprehension of them. A significant gap in the development of password-based authentication is its excessive focus on technicalities, neglecting the ease of use for the general populace, including laypersons. Researchers such as Hitchings, and Davis and Price, have identified that this lack of focus on user-friendliness leads to weaker security systems.

Interestingly, hackers tend to examine the human aspects of security more closely than system designers, resulting in more frequent security breaches. Detailed analyses indicate that security implementers should more actively involve users in creating a user-centered design. There is a general agreement that organizations should embrace intelligence-driven security models to reduce data disturbances. Research in this area has often concentrated on the formal properties of passwords, like stringent policies and composition, rather than on practical design considerations. This leads to a disconnect between the most pressing issues and the focus of research. Despite these challenges, passwords continue to be a prevalent method of user authentication, highlighting the necessity to reinforce both the strength of passwords and their authentication processes. Developing effective and efficient authentication methods, especially focusing on passwords due to their critical role in current authentication systems, is both an urgent and essential task.

Photo by Chris Henry on Unsplash

II. PASSWORD PROBLEMS & SOLUTIONS

The main challenge with passwords is the gap between their practical usability and the effectiveness of existing support tools. This often results in a misalignment between user behavior and security protocols, leading users to bypass these measures. More realistic guidance, in line with user behavior, is needed. The fundamental issues with passwords are:

1. Weak Passwords: The use of easily guessable passwords is a major contributor to system breaches, as highlighted in various reports, which attributed a significant percentage of security incidents to weak passwords.

2. Memorability: Passwords depend on precise memory recall, and slight mistakes can lead to access failure.

3. Password Reusability: With the average user managing approximately 25 accounts, password reuse is common, stemming from the desire to reduce cognitive burden.

4. Stringent Password Policies: Excessively strict password policies often backfire, resulting in weaker security and user frustration, which can be costly for both individuals and organizations.

5. Database Breaches: Several high-profile incidents, such as the 2012 Yahoo breach, have exposed user passwords on a massive scale, offering hackers insights into common password trends.

6. Phishing and Key logging: These risks involve users unknowingly submitting their credentials to fraudulent entities (phishing) or having their keystrokes recorded by malware (key logging).

Photo by Magnet.me on Unsplash

Addressing these issues involves a range of strategies that focus on recognizing weak passwords, enhancing their creation, and improving security awareness. Key solutions include:

1. Dynamic Password Policies: Customizing password policies to suit individual or group requirements can strike a balance between risk management and user convenience.

2. Password Strength Indicators: Tools like password meters, used by platforms such as Twitter and Google, promote stronger passwords by visually indicating their strength, especially for critical accounts.

3. Password Managers: Applications manage robust, unique passwords for different web accounts, employing cryptographic techniques and occasionally incorporating features like salting for added security.

4. Password Generators: These assist in generating strong passwords but sometimes face vulnerabilities to third-party attacks, particularly when transmitting data through JavaScript.

5. Out-of-Band Password Authentication: This approach validates credentials through a mobile device, safeguarding against malware that could compromise a computer.

6. Two-Factor Authentication: Incorporating an additional authentication layer significantly boosts security, particularly beneficial for those who have previously suffered password theft.

7. Single Sign-On Systems: Platforms such as Facebook, Twitter, and OpenID offer single sign-on capabilities, alleviating the burden of remembering multiple passwords.

8. Keystroke Dynamics: An affordable behavioral biometric technique, it analyzes unique typing patterns on digital devices, augmenting password security without needing extra hardware.

Collectively, these solutions tackle various facets of password-related challenges, from user habits to technical flaws, contributing to a more secure and user-friendly authentication environment.

Photo by Michael Dziedzic on Unsplash

III. PASSWORD-BASED AUTHENTICATION SCHEMES

Password-based authentication is broadly categorized into two distinct approaches: the User-Centric Approach and the Machine-Centric Approach. The Machine-Centric Approach encompasses machine-to-machine password exchanges and relies on protocol-based authentication schemes. Conversely, the User-Centric Approach is defined by secure password entry in user-to-machine interactions, emphasizing design-based authentication schemes. Enhancing both approaches can lead to more efficient and effective authentication systems.

A. User-Centric Design Scheme

Recent research has revealed that data breaches cost large enterprises significantly. Future advancements may include a portal for generating secure passwords from active directory data, potentially increasing security while saving time. User-friendly password management or design solutions can improve transparency and elevate password security. The User-Centric scheme, therefore, centers on user interactions with passwords.

1. Elements of Password Authentication

The authentication process typically involves these key elements:

• Alphabet Classes: These are the different character sets available for creating a password, such as a mix of alphabetic characters, special symbols, and numerals.

• Alphabet Size: This refers to the total number of characters available in a given alphabet class, such as ten characters (0–9) in a decimal class.

• Password Length: The required number of characters in a valid password, which directly affects the range of possible password combinations.

• Authentication Period: This is the time frame for which the authentication process is valid, like intra-session or multiple sessions.

• Input Visualization: This involves the system feedback provided to users about their chosen password’s characteristics, such as plaintext or encrypted text.

• Lifetime: The duration for which a password remains valid. After its expiration, a new password needs to be issued or the existing one changed.

• Password Guidance: The extent of assistance provided to users in selecting a password, which can vary from minimal tips to comprehensive support.

• Generator of Password: The entity responsible for enforcing password regulations, which could be the user, the System Security Officer, or the password mechanism itself.

• Storage: The method employed by the password mechanism to store username/password information, whether in a file, a non-file system, or an alternative system.

Photo by UX Indonesia on Unsplash

2. Password Design

Despite facing various security challenges over the past fifty years, passwords have profoundly influenced authentication systems. In conventional settings, such as operating systems, users typically create a unique user ID and password, which act as their authenticators. A common issue is that users often select easily predictable passwords and repeatedly use them across different accounts. Even though there are numerous advisories against writing down passwords to avoid misuse, unwritten passwords frequently turn out to be weak, leading to compromised security. Therefore, it’s crucial for organizations to find a middle ground in enforcing password policies that consider both memorability and security concerns. The propensity of users to create weak passwords, especially when independently setting them, poses a significant threat to security. Several alternative methods for generating passwords have been developed:

• System-Generated Passwords: These are randomly created strings of characters by the authentication system, which are hard to predict but also hard to remember.

• Associative Passwords: Unique to each individual, these cue-response type passwords require non-trivial word associations to increase security.

• Cognitive Passwords: Known as challenge-response schemes, they necessitate users to answer several personal questions for access. The questions should be personal and specific to the user.

• Pass-phrases: Consisting of a sequence of words, passphrases are longer than conventional passwords but are generally easier to remember. Many institutions support their use, as evidenced by empirical studies.

Photo by FlyD on Unsplash

3. Password Composition Policies

Effective password composition policies result in stronger passwords but also increase the burden on memory. Such policies make passwords harder to guess. The approaches to password composition and creation vary in their effectiveness and impact on user experience. Here’s a breakdown of different methods:

1. Rule-based Approach: This traditional method involves setting predefined rules for password creation, such as specifying minimum and maximum character limits, requiring the inclusion of special characters, numbers, and uppercase and lowercase letters. While this approach aims to increase the complexity and security of passwords, research, including a study by Weir et al. in 2010, has shown that it can be ineffective. Users often create passwords that meet these criteria but are still predictable or use similar patterns, making them susceptible to being guessed or cracked by sophisticated algorithms.

2. Random Approach: In this method, passwords are generated randomly by the system, creating strings of characters that are highly secure due to their randomness and lack of predictability. The downside of this approach is the challenge it poses to users in terms of memorability. Randomly generated passwords, while secure, are often difficult to remember, leading to issues with user convenience and potentially increasing the reliance on password recovery mechanisms or the need to write down passwords, which can introduce new security risks.

3. Analyze-Modify Approach: This newer approach seeks to balance security with usability. It uses a probabilistic method to initially estimate a password’s strength or entropy. Based on this assessment, context-free grammar rules are applied to modify the password, enhancing its strength while maintaining or even improving usability. This method aims to create passwords that are both strong and user-friendly, addressing the common issue where users create weak passwords for the sake of convenience. By analyzing and then modifying the password, this approach can guide users toward creating passwords that are not only secure but also memorable and practical for everyday use.

Photo by Scott Graham on Unsplash

4. Password Strength

The strength of a password is typically gauged by how long it takes an algorithm to generate guesses. The longer the time, the stronger the password is considered. Initially, password length was seen as a key factor in determining strength. Now, password quality and entropy are commonly used as metrics of strength. Entropy is calculated by considering factors like the length of the password, character sequencing, the number of character types, and character content. It’s also beneficial in identifying weak passwords and enhancing dictionary check methods. Password quality indicators, developed based on the trial-and-error time needed to find the correct password, include factors such as password length, character set range, and deviation from common dictionary words. Password meters also play a role in encouraging users to create stronger passwords by providing visual feedback and suggestions.

Photo by Eric Krull on Unsplash

B. Machine-Centric Protocol Scheme

The evolution of authentication methods has transitioned from basic transmission techniques to more advanced challenge-response mechanisms. Initially, passwords were transmitted as plain text or images, a method that posed significant security risks. To counter these vulnerabilities, challenge-response mechanisms were developed, which use a secret function calculated during server authentication to bolster security. Despite their advancement, these methods are still susceptible to online password guessing attacks.

Challenge-response identification protocols are divided into categories based on the cryptographic techniques they employ: symmetric-key, public-key, and zero-knowledge proof techniques. The adoption of one-time passwords represents a significant step in strengthening authentication methods. These passwords are unique to each session, addressing the issue of reusability inherent in fixed password schemes and enhancing security in scenarios where clients may lack access to sophisticated devices.

However, a notable limitation of traditional password protocols is their reliance on storing passwords or hashed passwords in a centralized password table, which can become a target for intruders. To mitigate this risk, researchers have explored methods involving trusted third parties in the authentication process. Yet, these approaches can still be prone to attacks, especially when secret keys are stored in password tables.

To overcome these challenges, ID-based schemes integrated with smart cards have been developed. These schemes offer multiple advantages, such as eliminating the need for key exchange and password tables and reducing dependence on trusted third parties. Nonetheless, their effectiveness in network environments is limited by issues like the absence of timestamp integration, making them vulnerable to replay attacks.

In response to these vulnerabilities, researchers have proposed incorporating timestamps into ID-based schemes to reduce the risk of replay and impersonation attacks. However, these improved systems may still face challenges, especially when identities are not included in the ID-based schemes, and there’s no option for changing passwords post-registration.

Furthermore, time-based schemes have been suggested for environments with synchronized clocks, requiring only a single message for authentication. In contrast, networks lacking synchronization, such as wide-area networks or satellite communications, might need a more complex three-message authentication scheme.

Authentication protocols are generally categorized based on their message-passing techniques, with the two main categories being those based on public key cryptography and those using hash functions. Each of these approaches has its own set of strengths and weaknesses, and the choice between them often depends on the specific requirements and constraints of the environment in which they are deployed.

Photo by marcos mayer on Unsplash

These cryptographic protocols, while solving certain problems, also introduce additional features beyond basic authentication. For higher-level applications, password authentication protocols must incorporate these additional functionalities, including:

• Mutual Authentication: This involves two-way authentication, where both server and user verify each other’s identity, mitigating risks like man-in-the-middle and impersonation attacks in remote situations.

• Authenticated Key Exchange: This feature involves sharing a session key between the server and user at the end of each protocol, used for encrypting session messages, thereby preventing data forgery and hijacking.

• User Identity Protection: Ensuring user identity remains secure is crucial, especially in remote authentication scenarios. Protocols employing hash functions often have an advantage in speed due to lower computation times compared to key operations. However, public key crypto-systems provide superior security, facilitating mutual authentication and resistance to various attacks.

• Device-based Protocols: Designed to safeguard against attacks on password tables, these protocols allow users to alter or eliminate the password table, which might lead to system failure. As the number of users increases, managing the expanding size of password tables becomes more challenging, particularly in extensive networked environments.

Password-based authentication protocols can also be distinguished by the devices used, such as password-only protocols, dedicated device-aided PA protocols (e.g., smart cards), and memory device-aided PA protocols (e.g., USB-based).

Photo by Tim Mossholder on Unsplash

1. Password-Only Protocols

Protocols that rely solely on passwords typically require just a login ID and password for system access. Password-Authenticated Key Exchange (PAKE) protocols offer security even when users opt for shorter passwords. PAKE protocols enable parties to share a common session key over insecure networks, utilizing low-entropy secrets like passwords.

Tag-based Password Authentication focuses on mutual authentication and sidesteps the key exchange phase in PAKE. Group Password Authenticated Key Exchange, Multi-Factor Authenticated Key Exchange, and Password Protected Secret Sharing are other approaches that have been explored.

• Tag-based Password Authentication: Researchers have introduced tag-based Password Authentication (tPAuth), which focuses on mutual authentication and sidesteps the key exchange phase in PAKE (Password Authenticated Key Exchange). tPAuth is used in Password Authenticated and Confidential Channel Establishment (PACCE) protocols, where it ties a confidential channel directly to a password-based authentication protocol.

• Three-Party Password Authenticated Key Exchange: This approach involves a trusted server that shares a password with two parties wishing to communicate. It is designed to enhance the security of password-based systems by involving a third, trusted entity in the authentication process.

• Group Password Authenticated Key Exchange: An extension of PAKE for group scenarios, this technique involves sharing a session key among multiple users. It adapts general group key exchange methods to fit password-based settings, ensuring secure group communication under the umbrella of password-based authentication.

• Multi-Factor Authenticated Key Exchange: This approach combines multiple authentication techniques into one system, thus enhancing security. Models ranging from two to multiple levels of security have been proposed, integrating various factors like passwords, biometrics, and security tokens to create a more robust authentication system.

• Password Protected Secret Sharing: This protocol, initially introduced and later refined by various researchers for reduced complexity, splits a secret key among several servers, with each portion protected by a password. Key applications include remote storage, where the security of the stored data is enhanced by distributing the access control across multiple password-protected segments.

Photo by Yura Fresh on Unsplash

2. Dedicated Device Protocols

These protocols necessitate the use of a dedicated device, such as a smart card, for authentication. Smart cards, when used in conjunction with various cryptographic protocols, can significantly enhance the security of user authentication. RSA-Based Schemes and ELGAMAL-Based Scheme are examples of such cryptographic protocols.

3. Memory Aided Protocols

Memory device-aided password authentication protocols utilize devices such as USB sticks, PDAs, and mobile phones to store crucial authentication information. These protocols aim to preserve the authenticity of data even if the memory device is compromised or stolen.

IV. CONCLUSIONS

We have highlighted the significant gap between system developers and users in the field of authentication, identifying users as both the weakest link and a substantial challenge to the effectiveness of authentication models. The primary contribution of this study is its exploration of this divide, seeking to bridge it by incorporating user perspectives in the design phase and developer insights in the protocol phase. The predominant issue with passwords is the disconnect between their practical usability and the adequacy of current support tools. Often viewed merely as tools for information sharing, passwords are strengthened mainly for important accounts, as encouraged by password meters, but not consistently across all accounts. This observation indicates that the robustness of security mechanisms depends not only on the tools employed but also on the value or relevance of the information users wish to safeguard. Therefore, users need realistic, behavior-aligned guidance.

Future research should focus more on system design goals, emphasizing both efficiency and effectiveness, and move beyond strictly defined problem formats. Advanced protective measures like comprehensive password policies and out-of-band authentication could enable the use of strong passwords without overloading users’ memory capacity.Strengthening Password-Based Authentication

Research in password-based authentication has predominantly concentrated on enhancing its effectiveness. Some studies have also investigated ways to improve efficiency, such as by altering time computations and bolstering security measures. Strengthening password security involves refining password protocols to counteract online attacks and making password entry more rigorous to prevent offline attacks. Employing hash functions to generate strong yet memorable passwords is a promising strategy that requires no changes on the server side and offers resistance to brute-force attacks.

Photo by Dan Nelson on Unsplash

Who Makes, Who Enforces, Who Follows

A marked disconnect persists between the areas causing the most harm and those being researched. This misalignment necessitates more user-centric guidance, with designers focusing on HCI design over rigid password composition policies, and organizations evaluating the costs and benefits of their security measures. This realization underscores the need for research on efficient user-centric mechanisms, protocols, and frameworks, aiming to strike a balance between security and usability. The time is ripe to shift focus from elaborate password rules to more effective strategies, investing in the enhancement of password-based authentication systems’ efficiency without sacrificing their effectiveness and security.

In conclusion, this comprehensive exploration of password-based authentication underscores the criticality of harmonizing system design with user behavior. Despite technological advancements and the introduction of alternative authentication methods, passwords remain a cornerstone of internet security. Throughout we have highlighted the complex interplay between user-centric and machine-centric approaches in enhancing the efficacy and security of password systems. It reveals that the key to fortifying password-based authentication lies not only in the technical aspects of cryptographic schemes and protocols but also significantly in understanding and integrating the human factor in system design. The study advocates for an equilibrium between robust security measures and user convenience, underscoring the importance of designing systems that are both secure and user-friendly.

Future research directions should focus on developing innovative solutions that address the inherent challenges in password-based authentication, particularly those related to usability, memorability, and resistance to various forms of cyber-attacks. Emphasizing efficient user-centric mechanisms and frameworks can lead to more intuitive and secure authentication systems, thereby reducing the gap between user behavior and security protocols. This will not only enhance the security landscape but also ensure that authentication systems evolve in tandem with user needs and technological advancements, thus safeguarding digital identities in an increasingly interconnected world.