Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although businesses and scientists have explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication for years to come.
Today's businesses frequently enforce security of an authentication process using a password policy. Most password policies are based on the simple mathematics of brute force password attacks. A brute force attack is a simple means of breaking a password by trying every possible combination of input. When defending against this approach the security of the password is given by two factors: the length of the password and the size of the alphabet used for password symbols. The difficulty of such an attack experiences combinatorial growth – a rate of increase far larger than the popular exponential growth - as the length of the password increases.
The figure below illustrates the relationship between the time taken to brute force a password and the length of a password when brute force techniques are applied to the 2012 LinkedIn breach. Applying more computing power only allows for a modest improvement; moving from a low cost laptop to a modern super computer, equivalent to three generations of technological advancement, only increases from five to eight the length of passwords that can effectively be attacked.
So seemingly, a password need only exceed eight characters to be safe for a generation. However, hackers today do not employ brute force attacks and instead cut down the space of possible passwords to be tested dramatically by relying on the limitations of our memories. Acclaimed research by Joseph Bonneau (1) introduced a comprehensive mathematical framework modelling human choice as a skewed probability distribution. Essentially, this research shows that if you construct a password that you can feasibly remember, a computer can guess it. He concludes that "It’s […] possible that humans are inherently unable to collectively produce a strong distribution of secrets even when strongly motivated."
Quite simply, for users to be able to remember passwords they do not take the form of high entropy random strings, but consist of words, dates, keyboard/touchpad layouts and similar patterns. While these might seem diverse, studies have shown that they frequently build on simple psychological cues. For example, in studies of the LinkedIn password breach, a website which uses extensive blue colouring, many passwords which are commonly associated with the colour blue, for example ocean, were more prevalent than average. Similarly, the passwords used on a hacked dating website, militarysingles.com, made extensive use of military slang. These phycology-based approaches are now automated in widely used hacking tools, once again highlighting the maxim that today's top-secret programs become tomorrow's PhD theses and the next day's hacker tools.
Overall, the difficulty in brute forcing passwords only tells us where the lower limit, at which passwords provide no security at all, lies today, which is in the five to eight character range, dictated only by whether a hacker is willing to spend 10 or a 100 dollars on the attack. In many ways, the rise of computing power and artificial intelligence has made passwords obsolete. It is essential though that when human-chosen secrets must be used security engineers understand the cost of guessing attacks and design layers of resilience to survive them and never assume user behaviour can be approximated as a random choice from a fixed set of possibilities.
Effective authentication mechanisms should rely on the presentation of multiple independent pieces of evidence; traditionally the independent domains from which this evidence should be drawn are something the user knows (e.g. a password), something the user possesses (e.g. a smartcard) or something the user is (e.g. a fingerprint). While each individual piece of evidence can be faked, the burden for an attacker rises substantially when a requirement is made for multiple pieces of evidence - or authentication factors as they are commonly known. For most companies the transition to multi-factor authentication rarely requires a significant investment as employees already have passwords, smartcards and fingers. By combining two or more of these, companies gain far more confidence that the users of systems are indeed who they claim to be.
More generally, the rapid obsolescence of passwords since their introduction around 50 years ago illustrates how the fundamental problems of security often involve technical components, but are at their heart about the nature of people themselves and our relationship with technology.
KPMG P/S, Dampfærgevej 28, 2100 København Ø, Tel: +45 7070 7760, CVR no. 25578198
KPMG Acor Tax P/S, Tuborg Havnevej 18, 2900 Hellerup, Tel: +45 3945 1700, CVR no. 34082200
© 2021 KPMG P/S and KPMG Acor Tax P/S, both entities being Danish limited liability partnerships and member firms of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more details about the structure of the KPMG global organisation please visit https://home.kpmg/governance.