Are passwords still worth it?

spO0q 🐒🎃 - Dec 1 '21 - - Dev Community

Password authentication is a fundamental security feature. It's literally everywhere, and you likely use it every day on multiple occasions, especially to access your online accounts on various platforms.

There are good practices to keep things secure. For example, using random and unique passwords is highly recommended. You must not use the same password for multiple accounts, even if it's a strong one.

In that perspective, a password manager allows for defining and auto-filling solid passwords automatically. It's easy to use, and you don't have to remember anything.

However, there are some issues with the very concept of password I'd like to discuss here and some misconceptions about "strong" passwords you need to know.

What is "strong" anyway?

Hackers use password cracking tools, dictionaries, and rule-sets to guess passwords. A popular technique called brute-force consists of trying numerous password combinations to bypass authentication.

Most of the time, hackers use bots and lists of frequently used credentials.

123456789, qwerty, abcdefgh, iloveyou7

The above passwords are terrible. They would be found at lightning speed. You can even find them in the most popular public lists, such as Rockyou.

However, the following passwords are not good either:

!@#$%^, P@ssw0rd, buddy123

You can also find them in the rockyou.txt list.

Don't try to be clever. Password crackers such as JohntheRipper have been using mangling rules for years. As a result, replacing all "a" with "@" or "s" with "$" could quickly fail.

Besides, a leaked password is a weak password, no matter what you do. You may have a strong password, but phishing campaigns are more and more sophisticated, and data breaches happen regularly.

Be extra, extra, extra careful with incoming emails, and use haveibeenpwned to test your passwords.

Password policies are broken

Best practices are excellent, and password managers do a tremendous job, but many websites and applications use harmful password policies.

It's sometimes impossible to create the password automatically with your password manager during the signup, as the website pushes its users toward very predictable strategies and disables copy/paste in the second password input.

It's not uncommon not to be able to use long passwords with special characters. You sometimes end up with nonsense like that:

taylor23

The system is happy because you use letters and numbers, while it's obviously a weak password!

Measuring passwords strength with entropy

Professionals and tools assess passwords with bits of entropy. It measures how random a password is with a mathematical formula that can look like that:

E = log2(Rᴸ)

There are some variants of the formula, but, theoretically, the higher the entropy (E) is, the stronger is the password against brute-force attacks. R is for the number of available characters, and L is the total length.

As a result, mixing letters, capital letters, special characters, and numbers increase entropy significantly. However, the length is even more critical.

However, it's just an indicator. Again, if you reuse the same password everywhere or if your password is leaked, it's game over, regardless of the entropy.

Passwords are not enough

Most services use now additional layers to authenticate their users. For example, with two-factor authentication (or multi-factor authentication), in addition to password authentication, users have to enter a code received by SMS or generated with popular applications such as Google Authenticator or Lastpass.

2FA is not enabled by default everywhere, though, and you sometimes need to activate it manually in the "advanced settings."

It's not bulletproof, but hacking 2FA is way harder than hacking passwords.

Decentralized authentication: the passwordless approach

There are famous examples of passwordless systems such as magic links or biometric authentication.

Another approach can leverage more secure designs such as key-based cryptography instead of passwords, so the user's device (or a USB key) is the only device that holds the authentication factor.

This decentralized approach can have significant benefits:

  • improving user experience significantly
  • eliminating security risks such as password leaks

Indeed, it's likely more challenging to implement for developers than a simple login form and, in some cases, even impossible without rewriting everything.

However, from the user's perspective, it can be safer and easier to use.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .