Passwords : security, vulnerability and constraints

What is a password?

A password is a secret linked to an identity. It associates two elements, what we own (a bank card, badge, telephone, fingerprint) and what we know (password or code).

Passwords are very widely used, for computers, telephones, banking. The simplest form is the numerical code (PIN), with 4 to 6 numbers. Our smartphones therefore use two PIN codes, one to unlock the device, and another associated with the SIM card, to access the network. Passwords are most commonly associated with internet services (email, social networks, e-commerce, etc.).

Today, in practical terms, identity is linked to an email address. A website uses it to identify a person. The password is a secret, known by both the server and the user, making it possible to “prove” to the server that the identity provided is authentic. Since an email address is often public, knowing this address is not enough for recognizing a user. The password is used as a lock on this identity. Therefore, passwords are stored on the websites we log in to.

What is the risk associated with this password?

The main risk is password theft, in which the associated identity is stolen. A password must be kept hidden, so that it remains secret, preventing identity theft when incidents arise, such as the theft of Yahoo usernames.

Therefore, a website doesn’t (or shouldn’t) save passwords directly. It uses a hash function to calculate the footprint, such as the bcrypt function Facebook uses. With the password, it is very easy to calculate the footprint and verify that it is correct. On the other hand, it is very difficult mathematically to find the code if only the footprint is known.

Searching for a password by following the footprint

Unfortunately, technological progress has made brute force password search tools, like “John the Ripper” extremely effective. As a result, an attacker can find passwords fairly easily using footprints.

The attacker can therefore capture passwords, for example by tricking the user. Social engineering (phishing) causes users to connect to a website that imitates the one they intended to connect to, thus allowing the attacker to steal their login information (email and password).

Many services (social networks, shops, banks) require user identification and authentication. It is important be sure we are connecting to the right website, and that the connection is encrypted (lock, green color in the browser address bar), to prevent these passwords from being compromised.

Can we protect ourselves, and how?

For a long time, the main risk involved sharing computers. Writing your password on a post-it note on the desk was therefore prohibited. Today, in a lot of environments, this is a pragmatic and effective way of keeping the secret.

The main risk today involves to the fact that an email address is associated with the passwords. This universal username is therefore extremely sensitive, and naturally it is a target for hackers. It is therefore important to identify all the possible means an email service provider offers to protect this address and connection. These mechanisms can include a code being sent by SMS to a mobile phone, a recovery email address, pre-printed one-time use codes, etc. These methods control access to your email address by alerting you of attempts to compromise your account, and help you regain access if you lose your password.

For personal use

Another danger involves passwords being reused for several websites. Attacks on websites are very common, and levels of protection vary greatly. Reusing one password on several websites therefore very significantly increases the risk of it being compromised. Currently, the best practice is to therefore to use a password manager, or digital safe (like KeePass or Password Safe, free and open software), to save a different password for each website.

The automatic password generation function offered by these managers provides passwords that are more difficult to guess. This greatly simplifies what users need to remember and significantly improves security.

It is also good to keep the database on a flash drive, and to save it frequently. There are also cloud password management solutions. Personally, I do not use them, because I want to be able to maintain control of the technology. That could prevent me, for example, from using a smart phone in certain environments.

For professionals

Changing passwords frequently is often mandatory in the professional world. It is often seen as a constraint, which is amplified by the required length, variety of characters, the impossibility of using old passwords, etc. Experience has shown that too many constraints lead users to choose passwords that are less secure.

It is recommended to use an authentication token (chip card, USB token, OTP, etc.). At a limited cost, this offers a significant level of security and additional services such as remote access, email and document signature, and protection for the intranet service.

Important reminders to avoid password theft or limit its impact

Passwords, associated with email addresses, are a critical element in the use of internet services. Currently, the two key precautions recommended for safe use is to have one password per service (if possible generated randomly and kept in a digital safe) and to be careful to secure sensitive services, such as email addresses and login information (by using the protective measures provided by these services, including double authentication via SMS or recovery codes, and remaining vigilant if anything abnormality is detected). You can find more recommendations on the ANSSI website.

Hervé Debar, Head of the Telecommunications Networks and Services department at Télécom SudParis, Télécom SudParis – Institut Mines-Télécom, Université Paris-Saclay

The original version of this article was published in French on The Conversation France.