Requiem for the Password

all right um next up we have uh mr stephen kirby uh he's going to present to us requiem for the password um his bio is he is a security engineer for brat spring health services in louisville kentucky and he has been involved in technology since the late 1980s but whenever he's not working he would rather uh fish for some bass so uh mr kirby uh go ahead and take the floor thank you trenton yeah i'm steve kirby from louisville kentucky and i'm glad to talk to you all this afternoon about passwords and their role in security and how that's going to be changing the relatively near future

as trenton said i've been around for a while at once upon a time i was a graduate student in history way back when uh became a reference librarian and stumbled into technology in the late 1980s uh working in libraries uh start we first set up a local area network to share cd-rom databases back when that was still a novel thing to do we were using a product called that ran under dos so that tells you that has been a while and stumbled into nobel netwear a little bit later than that and used it for the same purpose and then discovered unix and it was all downhill from there i tell people mama warned me when i was younger that

messing with doss could lead to stronger stuff and it did and i spent about 26 years working full time as a unix systems administrator on all sorts of uni unices that are no longer around some of them are listed there on the slide uh did start with linux in early 1994 uh using the pre 1.0 version of the kernel so that has been a while for the last few years i've been working as a security engineer uh for bright spring health services located in louisville as we said and just so that you know what i'm talking about it's always important to note that i do hold multiple security certifications so you know you can you can believe what i say just like you

could if i'd said it on the internet one disclaimer the views and the opinions expressed in this session are entirely my own uh they don't reflect anything that any values or beliefs that are held by my employer they haven't screened what i've what i'm going to say so hopefully i won't embarrass them too badly and i won't have to answer to hr when i get back to work on monday origins of the term password well passwords as such have been around for a very long time uh the use of the word password apparently dates from the nineteen late nineteen brother eighteenth century 1700s about the time of the american revolution uh it been a spoken word or phrase

used to pass by a guard or century and that's that's where the term comes from the first recorded password breach as such uh occur is recorded by thucydides in his history of the peloponnesian war from 431 bc uh the the peloponnesian war was fought between the athenians and their allies and sparta and ncr wise uh the athenians were in battle with sparta with the uh citizens of syracuse who were an ally of sparta and in those days the watchword as it was called would be something that you would use to identify if friend or foe and the syracusians noticed that the athenians were using a particular word and started using it themselves if they were in danger of being captured by the

athenians the net result was if the athenians attacked someone from syracuse he gave the watchword was cleared he was authenticated and allowed to pass in safety whereas if an athenian failed to give that war they would be killed so it actually apparently turned the tide of the battle the use of passwords in itu for authentication purposes apparently dates to the compatible time sharing system project at mit from the very early 1960s i think it was started in about 1961 and it was a historic prop project it established the use of passwords to gain access to an automated system it was the first time sharing system as the name suggests it was one of the first systems to use

virtual machines uh there's a picture there that's not of the machine that it runs on that machine in the picture is actually basically the terminal or console uh the machine itself was a ibm the original was an ibm 709 mainframe running with vacuum tubes and later was converted to a 70-90 with the difference between the two was transistors it had a whopping 32 kilobytes of memory 12 tape drives and a 36 megabyte disk file which for those days must have been huge and allowed for concurrent users and that's why they needed passwords because each individual user needed access to his or her own uh share of the system and not predictably uh ctss was the

first to expose issues with computer passwords some of which were struggling with today in 1966 there was a bug introduced into the operating system that basically caused the contents of the message of the day file to display the password file which is not a good thing whenever somebody logged in they were greeted with a master list of passwords which in those days were unencrypted so basically you had a text file campaign contained in everyone else's password oops and one uh create one creative user a guy named alan share discovered that he could print out the contents of the password file and use that that that printout to bypass the limits on uh his quota on computer time because in those days

you're only allowed so much computer time i think it was in his case was four hours per week but everybody else got four hours and so long as he didn't use up all of their quota nobody would ever know and he did that for several years apparently he finally owned up to it after he got his doctorate and i think was eventually forgiven by the leader of the pro of the project uh within five years of the introduction of the password we found some basic weaknesses that are still being exploited to this day one they could be compromised as we mentioned they could be inadvertently disclosed as happened in the case of the password file being blasted out to the

message of the day and they could be used for resource theft which is exactly what mr sheriff was able to do

what emerged over the course of the next five to ten years was what i would call a password arms race that in some respects continues to this day uh very early on we discovered that the passwords needed to be obfuscated somehow and so a gentleman by the name of robert morris uh developed an algorithm for hashing passwords if the name robert morris sounds familiar his son probably is prop more famous these days than morris himself his son was robert t morris he wrote the famous 1988 uh morris worm it was really the first large-scale uh security computer incident or security incident uh to take place on the internet i remember it well because i was working

in a computer lab at the time and we discovered a virus the same week and made the local news because of it the virus had nothing to do with the worm but all of a sudden for the first time people were talking about uh computer security and in popular culture uh in addition to the development of past passwords we've started to focus we started to focus on increasingly stringent password requirements we insist that people mix upper and lower case that they use numbers and special characters that they change them regularly whether there's a reason to or not and then we want to prevent reuse and that's probably not a bad thing uh so the good news is that

if we do all of that we solve password problems and passwords that are complex and change regularly and can't be reused i mean the password security is isn't a problem anymore right we solved that a long time ago well no not really uh despite our best efforts that's still an ongoing problem that headline is from last year passwords are still the dominant authentication method and they are the top cause of data breaches uh that will probably continue for the indefinite future so long as people are people again late last year uh how your passport has end up for sale on the dark web so not only are they being stolen they're being exploited for commercial

purposes part of the problem i think is i t people have an engineer's band and that's something that joanna berkey kind of touched on this morning uh we we tend to look for technical solutions to problems and we don't focus on the uh human factor or the social sciences factors the way i like to look at it if we engineer a technical solution that ought to be good enough but it isn't and what you see here in front of you is a very common result there's a lot that these people are doing right those are assuming that p is capitalized that's a reasonably complex password apparently they're changing it on a regular basis they're not they may or may not be re

reused and it's tough to say i've got a few reservations about their password storage but you know under under the keyboard is one of the two canonical places that passwords are generally stored this is the other and that's one of one of the things that our current approach to passwords has generated we find passwords under keyboards or tape to monitors uh they're changed in predictable patterns and we're not really fooling anybody one one side note about this particular password is it's fairly famous uh because the agency that uses it was involved in an incident about three years ago i think this is the hawaii uh emergency management system they're the ones that issued a security

alert or incoming nuclear missiles and at the time that they were being interviewed was discovered they had the password to their system uh taped on a post-it note to the front of a monitor there probably not their fault i mean through our best intentions uh we've talked we forced people to resort to this sort of thing in order to keep track of their of their ability to log in

insanity somebody once said and we'll talk about who in just a second is doing the same thing over and over again and expecting different results and that's largely what we've been doing with passwords for the past 25 to 30 years we keep trying to enforce technical requirements rather than look at human behavior and as a consequence people resort to sort of shadow i.t unauthorized storage we unauthorized uh predictable you when we tell them they have to change the password they don't do it the way we want them to because there's really no way to force that and really not a good way to check for it uh so password01 becomes password02 and the month after that it'll be

password03 we keep trying to force them to do it our way and they simply will not because it's too painful for them uh now i mentioned the quote about insanity doing the same thing over and over again that is often attributed to albert einstein but it's not it can't be uh the first recorded instance took place in knoxville tennessee in the early 1980s i discovered it was take it took place in knoxville and having followed uh sec football most of my life my first thought it was just a frustrated balls fan talked about the way their football program has gone for the last 20 years but it turns out it predates even that uh it

came from apparently a it came from knoxville tennessee to be sure but apparently it was a al-anon meeting in the very early 1980s uh we'll never know who because those meetings of course are anonymous but uh i i think it's that quote does speak volumes to the way that we've approached password security certainly for the last 10 to 15 years we we should know better than we do which leads to probably the most famous cartoon in the history of password security there can't be too many of them and that is from xkcd which talks about how we have tried to force people to do something that is very difficult for humans to remember but it's not really all that difficult

for computers to guess we've tried to focus on complexity on making people use as many characters as possible as many characters as possible in a finite space that typically leads to very little very short entropy uh what the better approach probably is to expand the length of the password 14 15 16 characters but to do it in a way that people can remember what they had what they have used and in that way that it's also easier for them to construct if we can give them a simple rule we can help them construct a more secure password a recent password theory from major government agencies both in the united states and abroad uh has concentrated on

doing exactly this for example the national computer security center in the united kingdom is advocating that we create strong passwords using three random words if you'll notice over in the blue part of the page on the right uh there are several passwords there that may or may not be good ones one of them uh looks like a mix of upper and lower case and numbers it ought to be reasonably good but it appears on the list of the top 100 000 most compromised passwords whereas the one below it red pants tree does not and that is one that is the example that uh ncsc has recommended obviously you don't want to use that one now

but uh that is the approach that they are recommended that we take as is nist here in the united states uh a few a few words of caution about choosing words uh first of all nobody's nobody recommends for has recommended a particular word length i think four characters would probably be a good start i did think at one point about making my password based on george carlin's seven words that you can't say on television but i decided against that just in case it was ever breached i didn't want uh my employer to find out that i had done something along those lines uh ncsc does recommend that you not use personal details anything that's readily guessable or obtainable via open

source intelligence like your partner's name or a child's name your pet's name place of birth that sort of thing uh sports teams are are a favorite uh apparently of of password uh construction both here and abroad those often show up in lists of compromised passwords uh in the united states the similar guidance is provided by the national institutes of standards and technology or nist in 2017 they released special publication 800-63b which is optional for most of us but mandatory for uh agencies that are covered under under the terms of the act that authorized nist which includes most of the federal government and a good number of government contractors uh nist does offer some password tips

that look very similar to the ones we talked about uh from ncsc in the united kingdom uh one thing that they do recommend and i highly i definitely agree with this is not to rely anymore on passwords alone uh multi-factor we'll talk more about multi-factor authentication in a moment but if i can if there's anything that i can add mfa to uh i do it and i if my bank doesn't require it i would probably look at changing banks at this point just because it's so important uh nist recommends using a phrase with multiple words for example if you look at the password field down below item two sun walk rain drive so if it

if it if the sun shines i'll walk if it rains i'll drive uh and obviously you want to get each account that you've got particularly secure important ones a unique passphrase i would recommend doing that for every site and every service that you log into at this point in time there's no reason not to have a different password it's good good password hygiene is probably your first line of defense this has record has released some requirements these are no longer optional for covered entities the passwords have to be at least eight characters long historically eight characters was a long password today it is not uh personally i wouldn't i wouldn't consider using anything that's less than

12 characters and 16 is not an unreasonable number uh passwords we no longer focus on changing passwords every 90 days according to nist and i think according to uh common sense you should only change your password if your account is compromised as difficult as it is for users to come up with a secure password the last thing we really want to do is have them change it for no particular reason once they've come up with a good one uh one thing that we do need to do is screen new passwords against a list of known bad passwords and we'll talk about that a little bit in a second and there are some other options that

they they don't recommend uh security questions and password hints those are just invitations to social engineering uh most people wind up using or are forced to use questions hints or questions that are readily uh really decipherable uh the most famous example i can think of of something like that where the password hints for sailor sarah palin's yahoo email account 2008 because of the way that yahoo selected their questions the only things that she could answer were were questions that were easily findable by the time she ran for vice president using an internet search and somebody did was able to take over account due to nothing that she necessarily did wrong i mean the questions themselves were the

problem uh rather than the answers that she gave and we definitely want to limit the number of allowable uh failed attempts people that just don't sit there and hammer on an account we'll talk a little bit more about uh anti-hammering requirements in a little bit when we when we talk about multi-factor authentication

and recommended best practices these are not requirements but they are definitely recommended and i'm on on board with all of them uh allow passwords up to 64 characters or longer as i said i personally would not consider any password less than 12 characters to be worthwhile and 16 would be closer to what i would want to shoot for uh character composition and special character requirements don't make a lot of sense they don't really add anything to the strength of the password but they do burden the end user and make it more difficult for the user to because you first of all even just construct a secure password do i just getting it to match the first

time they type it in is enough of a challenge much less even have a thought about trying to reuse it without uh having to resort necessarily to a password manager or something like that every time and one of the most controversial recommendations from uh the new nist publication is that users be allowed to copy and paste passwords into password managers uh a lot of folks are concerned about the security of a password manager and rightfully so and definitely the traditional view is that you're only as secure as the password manager my own take on that has evolved a little bit uh there is risk associated with the use of the password manager but there's risk of reusing passwords and i

think that the risk of the latter is even greater and it's greater to a sufficient extent that probably all sets the risk of using a password device or even something as simple as saving passwords into your browser uh we have painful experience that that illustrates that passwords are com reuse passwords are compromised every day uh most of the exploits that i've seen that talk about uh violating the security of a password manager have been theoretical and most take place with acts that require access to the client machine they're not taking place on somebody's server because that encrypting those is a fairly straightforward process what they wind up doing is is taking advantage of the password file

after it's been decrypted on the lower on the local machine and you would have to gain access to memory and finagle the way to get that clear now clear text information out it's not impossible but it's a lot more work than simply being able to uh grab a list of known passwords passwords that someone has used and start hammering on them in a dictionary attack what should we do when good passwords go bad and probably the most useful list for this is troy hunts have i been pwn list which is a large collection of passwords that have been involved in various data breaches uh you can if you are so inclined you can go and search and see if your

email address has been associated with a pwned owned account uh and these are accounts that aren't neces that are the result of passwords being improperly stored probably on the remote end and that's the one thing to remember about passwords local storage is less of a concern at this point than what happens to that password once you use it uh if you once you enter it into someone's website or a mobile device application you're at their mercy your security is only good as their security and we've we found out the hard way over the years that that doesn't always work well from uh places like equifax on down various sites that we would have trusted to maintain their systems and protect

the integrity of the passwords and the credentials that have been entered into their sites have not have failed to do so uh the current version or this was current as of about i guess a month ago uh of i have i've been pawn has 613 million compromise passwords uh that's quite a few and as i mentioned uh the current nist requirements indicate that we need to be checking our accounts uh to make sure nobody's using a password that is on that list the interesting thing is that not all the passwords on uh have i been pwn list are simply bad passwords obviously ones like one two three four five six and qwerty made the top of the

list but so does this list of what i think are probably reasonably complex passwords there aren't too many there i would be embarrassed to use myself but they weren't good enough because not because the passwords themselves were intrinsically bad but because somebody didn't take good care of the password once it had been entered into their system interestingly those passwords appeared on the list much higher than some of these every compromise password on the proceeding list showed up more frequently than such uh gems as puppies seven b-e-b one tooth at 1-2-3-1 and some of the others that you see there so obviously the strength of the password isn't the only factor that we need to consider when we talk about

uh potentials for compromise and if we want to check lists oh as i mentioned this does require that we do check passwords as they're being entered now and compare them with known bad lists and they if if the password matches the user has to it's not an option has to be required to choose a different seek pit memorize secret which is apparently bureaucratized for password there are a number of password audited and compliance tools these are particularly useful for going back and doing retrospective analysis of passwords have been entered into a database for example active directory uh several of these are deserved mentioned we are a no before site we'll probably be looking at their

product a little bit later uh the national computer computer security center in the uk has a script that will actually go back and audit uh your ad password file i'm sure it's a very good script the one thing to consider before you download it and go run it is that the ncsc is part of the gchq that is the british equivalent of the national security agency oh i would have i would have reservations about running the script that was written by a foreign intelligence service to act and allowing it access to my password database but that's just me uh it may be you too uh you may not have any choice in the matter depending on who your employer is but

that would be one thing to consider before you just blindly go out and download it and run it uh spec op software has another one that apparently is quite good it certainly has received some favorable press all of these links will be available in the slides and i'll post a link to the chat when we get done about where you can get get the slides but those are ones that might be useful to investigate there may be others those are just the ones that i found uh in my research is preparing for this uh session

pat the password is probably the most unloved part of computer security certainly of identity and access management people have been trying to throw dirt on its grave for a long time perhaps the best known quote is from bill gates who's almost 17 years ago now said that uh as time goes by people are going to rely less and less on passwords and people have been trying to prove gates right for a number of years probably more often without success than with it though that has begun to change relatively recently uh for example uh my favorite one my the favorite one that i've i came across was this headline from 2015 where yahoo their yahoo is going to update the email

app to kill a password and as these as the quote up the top talks about the definition of irony the irony of that is that it actually turned out to be the other way around in 2015 uh yahoo suffered a data breach that resulted in the exposure of millions and millions of passwords and to this data i think it's the single largest uh password breach in the history of the internet and it also ended up killing the company so the password killed yahoo rather than the other way around but yahoo wasn't alone uh i like this this one has its own level of irony too uh google was aims to kill passwords by the end of this year and then

of course right above that is a notation that the article is more than four years old didn't happen then either but it's definitely a work in progress i refer to passwords as the ipv4 of identity access and management i can remember when ipv6 was introduced in the late 90s and the consensus was that the internet was going to die in a short period of time because we're going to run out of ip addresses and ip6 was going to was going to fix that and save us and ipv4 is still alive and kicking very very much today and ibc v6 is struggling to get a toe hold well that's kind of where we are with uh authentication passwords are

still the most popular as we've noted the most popular form of authentication they're popular because they're familiar people have grown up with them they accust them they abuse them they use them but they're familiar and they know how they quote unquote know how they work uh there was a time not that long ago when biometrics were seen as creepy that would be things like retina scans and even fingerprints uh that's become less common now we'll talk about why that is in a second and then things like smart cards key fobs and other alternatives are one more thing to keep track of i used to have to have a key fob for mfa at one of the positions

that i had a long time ago and i think i stepped on a couple and i lost a couple it was constantly going back to my boss saying i need a new one those things aren't cheap uh he cringed every time i did but it's just one more thing to keep track of and asking people to do that is asking them to do things they aren't really good at we have experience that they have the future probably is multi-factor in the authentication and as i mentioned it's been around for a while uh it's not exactly something new i know we were doing that in the early 2000s uh the most common thing right now and

is what we were doing then as a password plus something else uh i will enter my password and then uh a character from a fob or uh something from an sms message or something along those lines uh but the future i think is going to be multiple factors that don't include passwords uh as i mentioned conventional mfa probably the most common uses today would would involve a password plus an sms or an email or a mobile app those have gotten a whole lot more popular things like duo or the microsoft authenticator you don't see as many uh tokens or fobs anymore because mobile devices have more or less taken taken the place as a means of

delivering that second factor uh we do see some sites using push notifications that typically uh that will be pressing a button on an authenticator app or responding to a link in an email for example citrix allows that as one of the options to log into citrix systems biometrics are certainly growing in popularity and i think one of the reasons for that is that the integrates nicely with mobile devices cell phones or tablets something along those lines when apple introduced their fingerprint reader with the iphone several years ago that probably did more to promote the use of biometrics than anything else has even though fingerprint technology has been suggested as a means of authentication for a very long time the

link that i have posted there is to a discussion about how fingerprints were used in the james bond movie uh diamonds are forever in 1971 where the bond girl was able to authenticate james bond using a portable fingerprint detector or analyzer uh and that's something this the interview is with a cia analyst who talks about how interested the agency was at the time about that technology it's another another area where the the movies were actually a little bit ahead of ahead of their times uh facial recognition uh is another area that we've seen develop with mobile devices lately eye scans have have not taken off probably because they're so difficult to do because the hardware is so expensive but

you will find those in some secure areas that's absolutely true uh an area that we're seeing some some development work in would be with gestures and signatures and behavioral recognition how fast you type you're not going obviously you're not going to do that as a single factor but they they can be combined with other authentication methods to uh securely log into systems and they are in fact supported in office hello in current versions of windows as i said the future for multi-factor authentication or modern ffa is not going to involve passwords and we are there but it's early days look ma no passwords i mean you need to think about uh cat for folks with folks in the military

or working from military organizations or things like apple's touch id face id or windows hello we're already there in some respects we use a buyer we use biometrics or a smart card plus a pin or personal identifi identification number one question that we need to consider is whether or not pins are more secure than passwords and i think they can be made to be so a pin if properly implemented is tied to now these days to a specific device uh it's local to that device it does not need to be shared across a network it's backed by hardware the pin would typically be stored in the tpm or trusted platform module on a pc but could also be stored

elsewhere uh depending on on the hardware that we're talking about and con contrary to the common four digit uh pin that you're assigned when you get a atm card or something along those lines modern pins can and should be relatively complex i would i would definitely not recommend using four to six uh numbers i want something a little bit stronger than that again you don't have to kill yourself uh make it something that's easy to remember because somebody's gonna have to have access direct access to your hardware in order to exploit that pin it's not something that they're going to be able to do just by logging in across the network so what do we see about the future of

passwords well it's fashionable to forecast the imminent demise of the password as i mentioned the analog to or the analogy to ipv4 is strong i think passwords are still going to be around for quite a while simply because people are so accustomed to them uh it'll be difficult for them to give them up uh the force that's most driving alternative forms of authentication would be mobile devices people are used to them are getting more used to them and they make things like mfa a whole lot more practical than it has been and i think because major players like apple microsoft and google are involved ultimately modern mfa is going to succeed it's just a question of

how long that's going to take that's all i've got uh let me do one thing

if you're interested in the slides mostly i think probably for the links i just pasted a url uh into the chat if you want the long one and because you don't like to uh type on shortened ones i can't blame you i will give you give you one more to consider instead

yeah don't blame you

that's all i've got if we have any questions i'll be glad to tackle them as best you can

um i believe that the attendees have the power to unmute if someone wants to add some comments or add some questions you know maybe that's something you want to do you want to do it that way you could sure we've got i think we've got a few minutes left i'll be glad to tackle that way

anybody want to share their password they don't want to show their favorite they want to share their favorite password yeah yeah what's give us give us a good example hey wait a minute that's my luggage oh very nice

spaces my favorite password character i'll share that i need someone once uh he chose to share his password with me i wish he hadn't but i'm glad he did the spas the password was space part space bar and the word cadet space cadet

um as um needing to bounce around for some of the conference i didn't get to hear 100 of the talk uh did we talk a little bit about uh applications or systems where um you can't pick this stronger password as you want um or as long as you want or as complicated as you want and sort of get into maybe some of some of those situations or some alternatives what we could do um no because those i think those are getting hopefully are getting rarer and rarer i love it yeah yeah uh i would like the nisk requirement or this recommendation now is we allow passwords up to 64 characters and i'm a big fan of that

uh there really isn't much you can do there are some older systems i'm old enough to remember when uh unix crypt only allowed six to eight character passwords and that hasn't been that long ago i guess it has been over 20 years but that was for every unix system connected to the internet at one point so we have come a long way uh hopefully those systems well i i say that knowing that we have the legacy systems in our shop is kind of an inside joke and i think that's probably true everywhere so there may still be some out there that only allow uh relatively short passwords the best thing we can do with those i think is

live with them and hope that they get phased out sooner rather than later yeah right um i think i actually have a question sure yeah um i would like to hear your opinion on i'm not really sure what they're called i think they're like little dongles that you carry around your neck usually it's about um it has a password in it and it changes every day uh yeah you those are those are the key fobs i was talking about typically i've seen those views for uh for mfa uh rsa for example uh used to make one and i can't remember i'm trying to remember the one that we used when i was at i2 um but yeah they

actually some of those can change uh the password every every i think minute or something like that some of them are time based some of them just do sequential changes that sort of thing but yeah those that is an older that is a mature technology i would think at this point i haven't as i say the the mobile devices have kind of taken the the place that uh those tools served maybe not everywhere but certainly for most commercial entities that's going to be the case you'll see more people people using the microsoft authenticator or duo mobile or even just plain sms which has its own risks as as a means of delivering mfa but those are probably more common than uh

key fobs and dedicated devices at this point okay

you