“Passwords Evolved: Authentication Guidance for the Modern Era”
TroyHunt.com, July 26, 2017
By Troy Hunt
“Authentication Should be More Than a Binary State.”
In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy.
But the ecosystem in which they were used was simple too, for example in MIT’s Time-Sharing Computer, considered to be the first computer system to use passwords.
We’re talking back in the 60’s here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of accounts and very limited connectivity which made for a pretty simple threat landscape. Your “adversaries” were those in the immediate vicinity, that is people who could gain direct physical access to the system. Over time that extended to remote users who could dial in – I mean literally dial in via phone – and that threat landscape grew. You pretty much know the story from here: more connectivity, more accounts, more threat actors and particularly in recent years, more data breaches. Suddenly, the simple premise of matching strings no longer seems like such a good idea.
A couple of months ago I wrote about Password reuse, credential stuffing and another billion records in Have I been pwned (HIBP). Here we have a situation where there’s a 10-figure number of credentials sitting there waiting for evildoers to start testing them against any site of their choosing and that presents a very interesting challenge: how do we defend against this? I mean you’re trying to run your online system and someone has valid credentials for some of your users, how are you going to stop them from getting in? The simple string matching of the 60’s just isn’t going to cut it.
There’s a lot more to how authentication has evolved than just the rise and rise of credential stuffing though, many other aspects of how we logon to systems has also changed. In some cases, this has led to once-held “truths” about how we create and manage accounts to be totally flipped on their head, yet we still see modern organisations applying the patterns of yesterday to the threats of today. This post sets out to address this gap and talk about how we should be designing this critical part of our systems today. My hope is that in times where a company says “we’re doing this screwy thing because security”, this post becomes the resource that well-wishers direct them to.
Here’s the bigger picture of what all this guidance from governments and tech companies alike is recognising: security is increasingly about a composition of controls which when combined, improve the overall security posture of a service. What you’ll see across this post is a collection of recommendations which all help contribute to a more robust solution by virtue of complementing one another. That may mean that individual recommendations such as dropping complexity requirements look odd, but when you consider the way humans tended to deal with that (they’d just choose bad passwords with a combination of character types) alongside guidance such as blocking previously breached passwords, things start to make a lot more sense.
About the Author:
I’m Troy Hunt, an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. I don’t work for Microsoft, but they’re kind enough to recognise my community contributions by way of their award programs which I’ve been a part of since 2011. You’ll regularly find me in the press talking about security and even testifying before US Congress on the impact of data breaches. I’m a Pluralsight author of many top-rating courses on web security and other technologies with more than 30 courses published to date. One of the key projects I’m involved in today is Have I Been Pwned (HIBP), a free service that aggregates data breaches and helps people establish if they’ve been impacted by malicious activity on the web. I regularly speak around the world and run developer-focused security workshops. You’ll regularly find me at major technology events.
- National Institute of Standards and Technologies (NIST) – Digital Identity Guidelines
The Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs. SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.
- Microsoft Password Guidance (PDF) – Microsoft Identity Protection Team.
- National Cyber Security Centre (United Kingdom) – Password administration for system owners. Password strategies that can help your organisation remain secure.
- OWASP (Open Web Application Security Project) – Password Storage Cheat Sheet
- Dropbox.tech – How Dropbox securely stores your passwords
- TroyHunt.com – Have I Been Pwned (HIBP)
- TroyHunt.com – Pwned Passwords
Pwned Passwords are 613,584,246 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts.
- TroyHunt.com – Introducing 306 Million Freely Downloadable Pwned Passwords