WORLD PASSWORD DAY

The first Thursday in May celebrates an anniversary introduced in 2013 to raise awareness of the conscious use of passwords. After 11 years since its introduction, we try to assess its modernity. 

Passwords are a constant presence in our current life. Study, work, leisure, shopping, household management and more, are all areas that require a digital identity and a password to protect our personal data, but just for that reason, they are affected by the problems or difficulties this implies. 

According to statistics today, each person should handle an average of a hundred passwords always different, long, complex and impossible to remember. As a result, everyone has created his or her own password using words, phrases, dates or personal information and uses it whenever he or she needs to register for a new service. 

In 2013, Intel, with the aim of raising people’s awareness of a conscious use of their passwords by leveraging elements such as complexity and frequency of updating, established a new worldwide observance called “World Password Day.” 

After a decade of IT, historical, and geopolitical change, it is questionable whether it is still useful to proceed on the path of awareness or it is time to adopt alternative solutions. 

 

INTRODUCTION 

Although they know the risks, few people still use complex passwords and change them frequently. In 2005 Mark BURNETT, IT security expert, suggested that every digital user should have their own “password days,” that is, days dedicated to update their passwords. 

The idea reported in his book, “Perfect Passwords,” has inspired companies such as Intel, leading them to create a worldwide observance, called “World Password Day,” which has occurred on the first Thursday in May since 2013. The idea behind the observance is to persuade people to frequently change passwords for e-mails, social media accounts and, all those identities meant to protect our personal information. 

In this article, after a short review of the history of the password, we try to reflect on the relevancy of the idea behind “World Password Day” and alternative scenarios. 

 

HISTORY OF THE DIGITAL AUTHENTICATION 

• 1961. At MIT, a new system is being designed that will have to be accessed by different users, and for the first time, there is the problem of identifying and certifying the identity of the subject. Hence, the idea of issuing a different login credential (username and password) for each user giving birth to the concepts of “authentication”. Despite all the recommendations given to the service users about using their credentials in a conscious way and keeping them secret, in the same year, an incautious administrator produces a printing of all users’ passwords and forgets it at the printer.

 

• 1978. MORRIS and THOMPSON publish a study showing it is easier to guess passwords through personal information than to crack them. In this research, two aspects, which are still valid today, are to be emphasized: a technical one, which identifies the use of a credential as one of the main problems, and a psychological one, the behavior of the human mind, which tends to use registry or personal information as it is easier to remember.

 

• Decade 1980/90. We start talking about alternative solutions to the use of the traditional password with the integration of an OTP (One Time Password).

 

• 1986. Multi-factor authentication is used for the first time. It will take 2-3 more decades for the model to be finally adopted in order to deliver services for the general public.

 

• 2013. Under pressure from Intel, “World Password Day” is introduced. Since 2013, the first Thursday in May has become World Password Day to make people aware of using their login credentials.

 

• 2014. The FIDO (Fast IDentity Online) Alliance publishes the first version of a procedure to standardize 2-factor authentication.

 

• 2015. The FIDO (Fast IDentity Online) Alliance updates the procedure (FIDO2) and for the first time it makes official a procedure that no longer involves passwords.

 

HOW SAFE OUR INFORMATION IS UNDER CURRENT PASSWORD POLICIES 

When World Password Day is introduced in 2013, the goal is to persuade people to use complex passwords and update them frequently. At that time, the recommendation is adopted almost exclusively by companies that need to secure their data. Only over the course of time and the diffusion of web services, the same behavior is also adopted by more advanced users. In the meantime, however, both the processing ability available to the public and the hacking techniques have evolved exponentially, making solutions vulnerable in a short time, previously considered secure. 

In the recent period, we have also realized how other aspects, such as geopolitical (interstate espionage) and war (not cold) scenarios, are contributing to the proliferation of hacker groups that are directly supported by governments and have at their disposal economic and computational resources without equal to the past. 

There are many methods used to steal passwords, but in most cases they rely on the human error. Let’s summarize the most commonly used: 

• Social engineering: with emails or phishing messages users are persuaded to communicate their passwords. Basically, it is the user who is cheated by social engineering techniques and provides the passwords to those who ask him for, through, for example, messages, e-mails, fake (false) websites that disguise a site we are familiar with. In addition to phising and smishing, vishing, which is carried out through phone calls ( by rushing decisions with alarmist messages) similar to those in call centers or techniques such as crypto-scam (with the promise of easy money) or romance-scam ( love promises through dating sites) has also become popular lately; 

 

• User information: very often we use personal information such as names, dates of birth, or other references that can be easily guessed or deduced from social networks. Even more so if the victim is a well-known person. In 2020, the legend tells that Victor GEVERS, a Dutch ethical hacker, took only 6 attempts to guess the password of Donald TRUMP’s twitter profile. “maga2020!” or “Make America Great Again 2020,” Trump’s campaign slogan. 

 

• Password reuse: users’ bad habit of reusing the same password on different services is exploited. This mistake makes possible the technique known as “Credential Stuffing” (credentials filling): it consists of the automatic entry of previously compromised username/passwords. This is basically an attack mode that takes advantage of the huge number of data breaches that have occurred over the years and have generated many databases of stolen credentials that are easily found on the dark web. 

And where the above techniques are not applicable, a “brute force” attack is used. Using the current computational power available to the general public, it is possible to hack a password, of 8 characters consisting of numbers, letters, both upper and lower case, and special characters, in just few minutes. 

So what should we do? 

IF WE HAVE TO CONTINUE TO USE PASSWORDS … 

 If we have no alternative to using only a password to access services, the best thing to do is to rely on a password manager. There are different types of password managers: software to be installed on local device, web-based or token-based or similar devices. 

In making your choice, rely on common sense and do not use the first one suggested. Often this is a definitive choice for which you spend as much time as you think it is necessary. 

Often this is a definitive choice for which you spend as much time as you think it is necessary. Finally, if you opt for a cloud service, check whether it has undergone any data breaches over time. 

A password manager saves data (passwords, but also phone numbers, addresses and payment details of one’s cards, etc.) inside a safe (vault) in encrypted mode.  

Access to the safe occurs with a password (the only one the user needs to remember), a cryptographic key, or with a multi-factor authentication or MFA (which we will explore later in the article). 

Key features, that a good personal password manager must have, include: 

• Multi-factor authentication. If we assume that a password is vulnerable, we should avoid entrusting all our credentials to a system that is accessed with a single password, especially if it is in the cloud; 
• A password generator. Since we have to use random sequences of characters to best protect our data, let’s rely on the password manager. Every good password manager includes a configurable system to automatically generate a new login credential. In this way, even the periodic updating becomes a formality; 
• Availability on devices and platforms. Statistically, each person uses more than 3 devices on average. Having a tool, which can be used on any device we have, becomes essential to avoid the necessity of sharing an unencrypted password through unsecured channels. 

 

 

IF INSTEAD WE CAN USE ALTERNATIVE SOLUTIONS … 

If the services we register for allow you to use more secure alternatives than passwords, don’t be afraid to adopt them. All the main alternatives use a 2-factor or multi-factor model. We analyze the most important ones available on the market today. 

Multi-factor authentication. MFA stands for Multi-Factor Authentication or Multi-Factors Authentication. Multi-factor authentication differs from traditional user/password authentication because the process requires one or more additional verification elements. 

To qualify as an MFA, a process must include several factors of different types. To clarify, if a process requires an identifier and two different passwords or a password and another piece of information known to the subject to authenticate the user, it cannot qualify as multi-factor authentication. 

The types of factors, of which at least two must coexist within an MFA process, are: 

• Knowledge factor (something you know). It identifies an item known to the user and generally refers to the password; 
• Possession factor (something you have). It identifies an object that the user owns such as a cell phone or a token to manage an information exchange with; 
• Biometric factor (something you are). It identifies a physical characteristic of the user such as fingerprint or visual recognition. 

The combination of two or more factors reduces the importance of the password within the process because, although vulnerable, its knowledge is not sufficient to complete the entire process. To better understand, let us explore this with an example. 

First of all, in order to make the process complete, the user must have previously associated the reference of a device such as the phone number of a mobile device or the key of a TOPT token (Time-based One-time Password-a key that generates a random number according to time), such as those issued by some banks. 

Given this premise, the authentication phase includes a form where the user identifies himself by entering the ID and associated password (knowledge factor). After confirming the credentials, the process triggers the next verification step, requiring the entry of a verification code received (SMS or email) or generated by the associated device (TOTP) (possession factor). 

By introducing a simple verification step, you exponentially increase the security level of the entire process with a minimal impact towards the user. In addition, the model removes both the necessity of using a complex password and the necessity of updating it frequently because it alone does not allow the process to be completed. 

Although the process may seem solid and invulnerable, the evolution of hacking techniques has exposed some flaws that if properly exploited can allow access to attackers. These advanced techniques are known as: SMS-based man-in-the-middle attacks, Supply chain attacks, Pass-the-cookie attacks and Server-side forgeries. In contrast with the techniques previously used to identify passwords, the level of complexity and knowledge to commit the attack increases, so the model remains preferable to the use of passwords alone. According to Microsoft estimates, in January 2020 alone, there have been as many as 1.2 million compromised accounts and 99.9% of breaches would have been prevented by using 2-factor or multi-factor authentication. 

FIDO2 or Passwordless. In July 2012, an association involving the main players in the digital payments and cybersecurity industry called the FIDO ALLIANCE (Fast Identity Online) was founded with the aim of promoting open authentication specifications that can do without the password. 

The first version of the specification is released in late 2014. The interest in the new standard is immediately clear so that a dedicated program was also created during 2015 for the main government agencies in which the United States, England, Germany, and Australia participate. 

Over the next three years, the alliance and W3C develop the new version of the standard and the specifications and protocol (WebAuthn) necessary to to make an effective, secure, password-free authentication process a real one. 

Talking about the MFA model, we understood that on one hand the password, factor of knowledge together with the user ID, becomes a less relevant factor in the whole process and a new element is introduced that increases the effectiveness of the process, that is, the device. 

Attack techniques committed toward systems that use MFA show how the attacker has intercepted or redirected the direct communication to the device to complete the process. Therefore, in order to make the process more secure, it is necessary to be certain of the device to which the communication takes place through an exchange of cryptographic keys during the registration/association phase of the device itself. 

In the association phase, an asymmetric cryptographic key pair (public and private) is created on the device to secure the communication between the device and the central system. The association phase is completed by sharing the public key with the other party. In this way, an encrypted communication model is established between the device and the system that can only be deciphered by the recipient. 

Let’s explore how the process changes in a passwordless authentication. The user must have previously registered his or her device and installed an authentication application on the device. In this phase, the exchange of public keys necessary to manage the communication between the device and the central system takes place. 

During the authentication phase, the form requires to identify the subject by simply providing the user’s identifier (knowledge factor) and, no longer, the password, which is considered an irrelevant and redundant element. After confirming the credentials, the process activates the verification step, sending a notification (via an encrypted communication decipherable only by the recipient) to the user’s device (possession factor) and requesting the execution of an action, usually a confirmation of access, which can only occur upon unlocking the device itself with a biometric factor. 

At the moment, this model is considered the most secure and is used to access many internet banking sites or to confirm financial transactions. 

 

 

MFA, WHAT TO WATCH OUT FOR 

As mentioned, the MFA model is safe especially if it is compatible with the FIDO2 specifications, but there are critical aspects we need to pay attention to. 

We have observed how the device is central to the process so what happens if we lose it or it is stolen? In the case of an MFA device that is not compatible with the FIDO2 specifications, those who have the device and credentials can access our data. However, having the device but not the credentials prevents the attacker from gaining access. 

In the case of a FIDO2 device, the level of security increases because its activation also requires a biometric factor. 

The problem is, that without the device, we cannot access our data either. Moreover, in the case of FIDO2 device, even a simple change of the device must be done with caution because the certificates governing the communication were generated and installed on the old device and are not portable. So if the device is lost or changed, the process involves de-registering the old device and registering the new one. Which is not always easy and self-manageable. 

Finally, if you choose to use a FIDO2 device (such as a USB flash drive) as database for your login passwords, be sure to have at least one copy of the device or data. 

 

WHAT THE FUTURE HAS IN STORE FOR US  

There are new solutions under consideration that promise to further simplify the user experience such as the loginless model that Okta Inc., one of the industry’s leading vendors, is working on. 

The premises prove to be very interesting from a technical point of view. The model involves identifying the subject based on his behavior and a biometric factor (visual recognition, fingerprint, etc.). The premises prove to be very interesting from a technical point of view. The model involves identifying the subject based on his behavior and a biometric factor (visual recognition, fingerprint, etc.). 

In my opinion, the approach is in line with the times but disturbing for two reasons. First, it means that the vendor, which already delivers the authentication system, would add, to a set of qualifying attributes of the user, a pattern of behavior that can be identified by an algorithm based on a set of information designed to define the individual himself and the way he acts. 

Secondly, I am troubled by the motivation that led someone to identify such a path as actionable. If someone is able to identify us through our daily behavior, it means that our entire life has become a predictable and classifiable pattern. Be careful about confusing everyday behavior with the operations within a network or system, which many behavioral analytics systems already do to ensure data security. This is going far beyond that. 

 

CONCLUSIONS 

Our life is increasingly taking place online, perhaps even too much. The first thing we worry about when we visit a new place is the speed of connection more than the beauty of the place. Whether we like it or not, today we cannot accept not being connected to the Internet and taking advantage of the services it offers us. 

We are like children learning to play without reading the instructions. And like children we are interested in playing without thinking that we might get hurt. We could say that we have gone back to the beginning of the last century when illiteracy overflew and it was important to know the bare minimum to survive. 

Today, the password is seen as a necessary evil without considering that it is the only tool that protects our data and privacy. Our interest is to make everything easier, and no one seems to realize that the password has run its course. The level of security provided by a password, is no longer appropriate for the digital world we live in and will be less and less. 

The first step is to have a digital culture. It is not necessary to be similar to “graduates” in the authentication process, but to have knowledge of the topics, even in a general way, in order to be aware of the dangers to watch out for. 

Remember that the first weak point in the whole process is the user with his behavior often dictated by his inexperience or lack of knowledge. 

Finally, if we care about the security of our data, it is time for us to adopt more effective authentication models. And, if the services we are offered do not support the new standards, we consider whether it is actually useful to share our data with those who do not provide us with adequate guarantees. 

Is it right then to observe “World Password Day”? My thought is that the time has come to update the goals and therefore the name of the observance to “World Digital Culture Day” to promote and spread digital competence and make people aware of the risk and danger they are exposed to by their careless or unconscious behavior.