My stance on passwords is well known – “Passwords are secure, people managing them aren’t.” Whenever I make this claim, some computer security pundits vehemently disagree with me. They bring up technologies like PKI, digital certificates, and all the advanced hardware technology, encryption algorithms and infrastructure. Their arguments are true, but why is all this advanced security technology needed? Answer: to protect the cryptographic keys.
PKI is a relatively recent comprehensive and complex infrastructure of hardware, software, policies and relationships that uses symmetric, asymmetric and hashing algorithm to manage digital certificates and establish trust within a computer network. Passwords on the other hand have been around for centuries. They date back to ancient Greece and Alexander the Great. The principles around passwords are relatively simple. One: at least two parties share the same secret, and two: there is a perception that passwords are human generated codes, while encryption/decryption keys require complex mathematical algorithms. Let’s face it, passwords are not sexy to most geeks. However, is a password really so different from either a symmetric or asymmetric key?
To a computer, a key is a series of zeroes and ones used to authenticate knowledge of a secret to complete a requested task. To a computer, a password is a series of zeroes and ones used to authenticate knowledge of a secret to complete a requested task. Wait a minute; both a password and a key are the same thing? Yes, they are … to a computer. I will go even one-step further in saying that if a password is securely generated and at least 32-characters long (256-bits), it is a symmetric key. To add a little controversy, all keys are glorified passwords.
Who Manages the Password?
Both symmetric and asymmetric encryption developers have gone to great lengths to generate non-reversible keys. Whether they use XOR bits, calculate the logarithm of a prime number, reflect off an elliptic curve, or run a True Random Number Generator (TRNG), it all comes down to the same result: a computer generated string of zeroes and ones. What makes this string of bits manageable is that humans don’t have remember or type anything. They are stored in a Secure Access Module (SAM), smartcard or Hardware Security Module (HSM).
In the past, passwords were regarded as something a human had to generate and remember. People are terrible with security. As Leroy Jethro Gibbs rule #4 states, “The best way to keep a secret? Keep it to yourself. Second best? Tell one other person – if you must. There is no third best.” Removing the human element greatly improves security.
In my many years of computer, password and application security, I have never met a single person who just loved their password and wouldn’t change it for a $1 million dollars. At best, they like a password that they can remember. Therefore, the first brick to knock down is having computers generate really long, complex passwords which the user does not have to remember or type. Like keys, passwords can also be securely stored in a SAM, smartcard or HSM.
How are Passwords Protected
In my next blog of this series, I’ll discuss if keys really are that secure. But for now, let’s assume they are very secure. The security industry invested a lot of time and money to development solutions to keep keys secure. While at the same time, many ignored password security because it might not have been considered new and sexy. Here are just some of the security technologies used to protect keys:
- Hardware security modules
- Encryption algorithms
- Hashing functions
- Secure Access Modules
- Secure Socket Layers (SSL)
- User authentication by means of a trusted third party (certificate authorities)
- Removal of the human element
In the past and too often today, password data files go unprotected or have just the bare minimum. They might get some encryption or a simple hash, but all the password thefts you read about in the press highlight the problem: IT is doing a very poor job at protecting password files. Stolen password files have nothing to do with using passwords as a secure protocol. They have everything to do with poor network security. If keys were given the same level of network security as passwords, we would find the same articles about private keys being stolen. So, I’ll ask the question, What would happen to the security of passwords if the same components used to protect keys were used to protect passwords? Passwords would be secure!
A secure password management system would include many of the same technologies as mentioned above. What should also be added are:
- Multi-factor authentication
- Secure Socket Layer
- Challenge – Response
- Salting hash functions
- Symmetric encryption of all files
- No cache of passwords
The news has been abuzz this year about the different companies having their password database breached and stolen leaving billions of people’s online accounts at risk. Reading these articles, you might conclude that passwords are not a viable security protocol. But in reality, all these breaches are the fault of very weak network security and monitoring. Passwords, along with other data files, are the victims of inadequate security. Bruce Schneier once said, “Security is easy to design poorly, but difficult to design correctly.” Weak passwords are a user management issue. Stolen passwords are an IT management issue.
From the computer’s perspective, a password is no different from symmetric and asymmetric keys. What makes keys seem more secure is their management, infrastructure and the technology used to safeguard them from theft. When these same principles are implemented around password security, then your security is vastly improved and at a fraction of the cost of these other solutions.
This is the first in a series of blog posts where I justify why passwords are secure, but their management isn’t. The next blog discusses, Why a Private Key is Like a Password.