This post was contributed by Josh Bruyning, Cybersecurity Solutions Engineer at TrustMAPP.
Effective password management begins with understanding that passwords are, and always have been, ineffective. The password has succumbed to manipulation by those seeking to gain entry to protected systems throughout history. The convenience of remembering words, phrases, and patterns contends with security, rendering management almost impossible for security leaders to enforce. Even with the advent of technologies like password list authentication, password management is an evolving art.
We put up with passwords because they are intuitive, not because they necessarily work. From speakeasies to enterprise systems, we humans refuse to part with the illusion of safety that passwords have afforded us. Historical data tells us that if an attacker wants an affordable way to access systems, they should steal passwords, and we make it easy for them. From ancient times to today, let’s explore the difficulties of protecting passwords and the psycho/technical approaches we can use to balance convenience with security tomorrow.
What if I were to tell you that a password could be somewhat effective even if everyone knew it. One of the earliest reports of password use comes from the book of Judges in the Christian Bible. Ancient Gileadite soldiers used the pronunciation of the word shibboleth to differentiate their tribe from the tribe of Ephraim, whose dialect did not include the sh sound. Here we see that even in ancient times, cybersecurity concepts existed. If an unauthorized user attempted to infiltrate the secure system of the Gileadites and gave the wrong password, the Gileadites identified them and, let’s say, didn’t let them in. Gileadites devised a psychological as well as a logical control. By swiftly killing a person who mispronounced the password, they deterred attackers from attempting access. However, word spread, and therein lies the failure in password management. Someone figured out how to “steal” the password and gained entry. No one told the ancients about rolling passwords, I guess. They didn’t have Duo back then.
Julius Caesar was also a fan of passwords, specifically password encryption in the form of ciphers. To send messages to Cicero in Rome, he used substitution ciphers, shifting letters according to a logic known only to authorized users. But again, a familiar theme emerges. The substitution cipher was easy to crack through frequency analysis. Making Caesar’s ciphers more difficult to crack would put a strain on poor old Cicero as rules would become too complex to remember. Security and convenience once again waged war on each other, and often security lost. Unless technology could handle encrypting and decrypting, Caesar would have to make do.
During prohibition, speakeasies were embroiled in passwords and secret names. For some reason, although visitors shared passwords, passwords worked to a high degree of success. There was a perfect password storm. The public was on the side of drinking, and passwords mimicked everyday language. Unless someone performed a man-in-the-middle attack by eavesdropping outside a pub, threat actors would never know whether users were transferring a password or talking about the weather. But even back then, one common password was “password.” Prohibition was over before we could fully study the password management effectiveness of speakeasies. We can chalk the little we do know to psychology and public demand. Few people wanted to abolish alcohol. The work it would take to learn passwords outweighed the demand for alcohol and, for once, passwords won. Today attackers have an enormous financial incentive to steal passwords, and users have little will to stop them, the opposite of the speakeasy ecosystem.
The theme of creating a password, attackers stealing passwords, and defenders making passwords more complex until they become too difficult to remember continued through World War II. Like the ancient Gileadites, the Allies utilized passwords that Germans would mispronounce. A challenging word such as “flash thunder” would be nearly impossible for the Germans to pronounce and would take a considerable time for them to learn. The Allies utilized ciphers more than passwords with the aid of rotor machines.
Passwords have made systems slightly more secure, and to the degree that a user could retain complex information. The first official password for computers made its way onto the world stage when Fernando Corbató presented the concept to MIT in 1960. You would think that from 1960 to 1990, password management would have evolved. Unfortunately not. The evolution of passwords would need to include developing human brains capable of retaining complex strings of unrelated information. So, it’s fair to say that passwords aren’t the problem; we are.
The internet has become more complex. As our data repositories multiplied, so did the need to create multiple passwords. In the 80s and 90s, no one used a password to access the SNES gaming system because most systems had no online gaming capabilities. When gaming went online in the late 90s to early 2000s, users needed another password to enter a server. Applications across the internet multiplied. More accounts, more passwords, maybe of which entered the enterprise area. Did we do away with passwords despite 80 percent of breaches due to password mismanagement occurring in 2020? Of course not. Password list authentication comes as a much-needed approach to MFA by eliminating passwords as one form of authentication, but we have not widely adopted that technology to users in the wild.
Security leaders have tried to control human behavior rather than accepting that we are what we are and that we will never change. NIST advises picturing passphrases in your head, making them easier to remember but difficult to guess. However, most users have several passphrases, or “images” to keep track of. SSO nearly eliminates the brain with tokens, but the learning curve for the average user is still too high. The reality is that attackers will go for the low-hanging fruit of password theft by phishing, whaling, brute force attacks, dictionary attacks, keylogging, and other password-friendly schemes.
The ancients might have gotten one thing right, deterrence in addition to the password, yielded two factors of authentication plus deterrence: know the word, pronounce it correctly, or face the consequences. They also adapted security for their time, a key factor that security leaders struggle to account for. Today, multi-factor authentication will get us 90 percent of the way because it’s easy to implement for legacy users and the next generation alike. On the other hand, rolling passwords, single sign-on access, and tokens give us more maturity but fail to recognize the fatigue of managing many devices and applications. The moment we discover a new technology, we must contend with psychology and mental fatigue. Despite our efforts to manage passwords effectively, people will always prefer 123abc because, for most of the workforce, it’s easy to remember across many applications and devices.
Mature password management attempts a better understanding of human psychology and how technology can deter and manage passwords. Instead of disparaging users, we should invest in a maturity roadmap that includes psychological research and combines technologies with an understanding of human psychology. Simplicity is critical because the one thing we know for sure is that humans like to keep it simple. That goes for everyday users and the bad guys. Perhaps we should invest in making password management simple for security leaders and users and more complicated for attackers. Today, Ukrainians propose their own Shibboleth, Palianytsia, named after a typed of bread, alerting them to the presence of Russian soldiers. Even without advanced technology, passwords will always exist.