"Open Sesame!" Encryptions, passwords, secret phrases and codes have a long and fascinating history. We know them not only from stories and fairy tales like Harry Potter, "Ali Baba and the 40 Robbers" or the stories from 1001 Nights.
Wherever there is a desire for access control, the password comes into play: the military, secret societies, terrorist cells and others have resorted to it and continue to do so. Today, we use it to protect online accounts, email inboxes, social media profiles, cloud storage containing personal pictures, memories and sensitive information, as well as stored online store data. Passwords to these treasures are highly sought after. Therefore, we should pay our attention to them and heed some advice that is sometimes easier said than done. Marco Squarcina, expert in internet security, gives his opinion on the subject of passwords in this interview:
Q: Does the password still represent the best protection for our data?
Marco Squarcina: Let's take two steps back. By protecting data, we usually refer to the process of encryption. Encryption algorithms are mathematical transformations of an input (plaintext) into an output (ciphertext) using a secret encryption key. Users can only recover the plaintext from the ciphertext if they have the corresponding key. Cryptographic keys are long sequences of bits that computers can easily handle, unlike humans. Just imagine being forced to write thousands of 1s and 0s every time you access the encrypted pictures stored in the cloud!
That's where passwords come into play: from a sequence of letters, numbers, and symbols, it is possible to derive a cryptographic key to encrypt our sensitive information. Hence, passwords are not the best way to protect our data. They are instead an expedient that enables humans to generate encryption keys. Additionally, passwords allow authentication systems to confirm a user's identity via authentication protocols, sequences of messages that involve transforming the provided password using cryptographic functions.
Passwords are so deeply rooted in our online lives that all websites support them as an authentication factor. Even encrypted cloud storage services depend on passwords and do not typically allow users to specify their own cryptographic keys. No matter if they're the best or not, passwords are here to stay for several more years.
Q: What are your main tips for choosing the right password. Moreover, managing our countless passwords is increasingly difficult. What can we do to keep track of them and still protect ourselves?
Marco Squarcina: Contrary to popular belief, the most secure passwords are not the result of enforcing a complex policy during the password validation process. When presented with rules like "the password must contain at least 2 digits, 1 uppercase letter, and a symbol", users typically follow predictable patterns that reduce the security of the chosen password (see also: https://www.troyhunt.com/science-of-password-selection/, opens an external URL in a new window).
The US National Institute of Standards and Technology, opens an external URL in a new window recommends passwords to be at least eight characters long and not be part of a previous data breach (https://pages.nist.gov/800-63-3/sp800-63b.html, opens an external URL in a new window). In reality, secure passwords should be way longer and generated randomly. To make a simple comparison: if we take lowercase and uppercase letters from the English alphabet, plus numbers, and we set the size of the password to 50, guessing the correct password would be more challenging than picking a specific atom among all the particles in the Universe!
Passwords must also be unique: each account should have an associated password that is not reused anywhere else. This practice prevents the risk of a credential stuffing attack, opens an external URL in a new window, which uses leaked passwords from one website to hack accounts on another. The best way to have long, randomly generated, and unique passwords, is to use one of the popular password managers available. Password managers use encryption to securely store credentials, unlocking and making their content accessible to the user by providing a single password. Popular browsers now ship with integrated password managers that allow synchronizing passwords across multiple devices, like your laptop and smartphone.
Q: What will be the future of the password? Will it be replaced by fingerprints, iris scans or facial recognition – and if so, when will that future happen?
Marco Squarcina: It's already happening. Take a modern iPhone, for instance: technologies like Apple Touch ID and Face ID enable users to authenticate using fingerprints and facial recognition with their devices. Although it's possible to use biometric authentication factors even on the web, relying solely on them is not a great idea. Fingerprints, for instance, are reasonably easy to clone (see also: https://arstechnica.com/information-technology/2020/04/attackers-can-bypass-fingerprint-authentication-with-an-80-success-rate/, opens an external URL in a new window). Biometric authentication systems can be bypassed if the victim is sleeping or unconscious (see also: https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/, opens an external URL in a new window). Face masks also prevent facial recognition systems from working correctly. Biometric features are also not guaranteed to persist over time due to several factors, including aging and injuries.
Despite the shortcomings, biometric features can be combined with passwords to significantly improve the robustness of traditional authentication systems. These are the so-called multi-factor authentication schemes (MFA), requiring more than one factor for successful authentication. The three authentication factors are:
- something that you know (password),
- something that you have (security token),
- something that you are (fingerprint).
Q: That said, what does it mean if our biometric data is hacked? Passwords can be changed, biometric data cannot.
Marco Squarcina: Excellent question. Indeed, theft of biometric data exposes victims to various issues, including identity fraud. For this reason, biometric data for authentication must be stored in a way that is only usable for verification. That means a mathematical representation that a malicious entity cannot overturn to recover the original biometric features. Moreover, the misuse of biometrics, fingerprints, iris and facial scans, etc. poses a serious privacy threat. While traditional web tracking mechanisms collect and share information about the activities of a user, biometrics provide the link to unequivocally reveal the identity of a person behind an account. For all these reasons, concern over biometric authentication is justified. Users should be careful when enabling it despite the apparent usability advantages.
Q: A final question: what is your personal approach to passwords?
Marco Squarcina: A good password policy is an art of balancing security, usability, and privacy, depending on one's priorities. As such, there isn't a single recipe that works for everybody.
I use the password manager integrated in my browser to synchronize passwords on my three devices (laptop, personal computer at home and smartphone). By doing so, I only need to remember the password to unlock the password manager to recover the credentials of the majority of my accounts. Needless to say, each account has its own randomly generated password, longer than 20 characters, that would be impossible for me to memorize. On websites that support MFA, I use a security token as an additional security measure. I maintain a secondary password manager for critical services where I even store information about credit cards, PIN codes, and other sensitive data.
Some people find it convenient to use single sign-on systems (SSO) to authenticate on a website like example.com via an identity provider such as Facebook or Google. This practice has the advantage of avoiding the creation of an additional pair of username and password at example.com, while relying on robust authentication at Google. Despite the benefits, SSO solutions have some drawbacks too. Suppose the identity provider is suffering an outage. In that case, users could be locked out of their accounts, as it recently happened only two months ago at Facebook (see: https://www.theverge.com/2021/10/4/22708989/instagram-facebook-outage-messenger-whatsapp-error, opens an external URL in a new window). Additionally, the identity provider can access the user's navigation history on connected websites, representing a privacy risk. For these reasons, I always try to decouple websites as much as possible by avoiding unnecessary SSO links.
Thank you for the interview!
Note: You can check whether your passwords are secure at https://haveibeenpwned.com/Passwords, opens an external URL in a new window but refrain from using these services if you don't know what you're doing. NEVER send your password, credit card, or any other personally identifiable information to random websites to verify whether they are part of a data breach.
Marco Squarcina is a university assistant (postdoc) at TU Wien, which he joined at the end of 2018 after receiving his PhD in Computer Science at Ca’ Foscari University of Venice, opens an external URL in a new window. His research interests focus on Web security, and his results are regularly published in top-tier security venues. As a long-standing participant in the renowned worldwide hacking competitions, he recently collaborated with the European Union Agency for Cybersecur, opens an external URL in a new windowity (ENISA) to provide advanced training for young talents. Marco is currently teaching several security-related courses at TU Wien, and he is among the coordinators of the local academic hacking team (https://w0y.at/, opens an external URL in a new window).
On his Twitter account, opens an external URL in a new window, Marco Squarcina shares news on cybersecurity, among other topics.