Are Passwords Becoming Obsolete? – Exploring The Issues With Password-Based Authentication

With the number of websites on the internet growing by leaps and bounds, so are the number of accounts we create on these websites. Email addresses, social media accounts, e-commerce websites, storage accounts, cloud services, gaming services, streaming services and the list goes on…

With that, another problem arises – having to deal with a plethora of different credentials. There is a fundamental problem that exists whenever passwords are being used. The average user tends to see passwords as a hindrance to their overall experience of using a service, rather than a security measure that’s in place to protect their data. This leads to people using weak passwords.

Granted, the existence of password managers does make life a bit easier in that department, but not everyone uses them. There’s also the consideration of whether we should be trusting a single organization with all of our password data. While we deal with these considerations, the threat of cybercriminals is always present.

Malicious actors keep working around the clock to try and break into password databases. Even to this day, a lot of places do not hash passwords before storage and directly store them as is. The ideal way to store a password is to calculate what’s known as a password hash, add some random values to it (this is known as a salt) and store the resulting value. Since a hash is non-reversible, this practice makes it more difficult for an attacker to figure out the actual password for an account, even if they are able to gain access to the password database.

However, even storing properly hashed passwords is no guarantee of password security. If a malicious entity can get access to your database of hashed passwords, they can attempt to crack those hashes. Sure, hashing makes it more time-consuming to get to the actual passwords. but attackers these days have access to extremely sophisticated hardware that can attempt to crack millions of password combinations per minute.

What about [email protected]_policies?

Most online services nowadays have password policies in place, which require everyone who signs up to adhere to these policies while setting up a password. Having password policies in place is definitely better than having no restrictions on password creation, but it does not always work out well. It also leads to people reusing passwords across multiple services.

Moreover, there are some archaic policies that are still being used in a lot of places around the world, for example – requiring users to change their passwords periodically. This makes people keep inherently weak passwords, since they don’t want to go through the effort of creating strong passwords only to have to replace them periodically. This was considered a best practice some time ago, but that’s no longer the case.

Due to storage issues, some companies don’t allow users to create passwords more than a few characters in length. Then there are some places which go overboard with password rules – restricting passwords to only digits with certain number sequences banned, or having exactly 8 characters in the password. If you want to look up more bizarre password policies, you can check out the list here.

Phishing Attacks

What is a phishing attack, you say? Well, if you’ve ever received an email claiming to be from a rich person wanting to share their wealth with you in exchange for a relatively small fee payment on your end, that’s an example of a phishing email. Most users are careful not to engage with such emails, but attackers can be quite tricky. They can craft elaborate emails which can be difficult to distinguish as fake, and ask for sensitive information from the victims (including passwords). Such emails are often targeted at company employees in what’s known as a spear-phishing attack. Phishing scams have a decent success rate, and if your employees are falling prey to these, it doesn’t matter how well-designed your password policies are.

Attackers try to capture user credentials through phishing attacks

Multi-Factor Authentication

One solution that comes to mind is to implement the use of Multi-Factor Authentication (MFA). The use of MFA requires a user to confirm their identity through more than one method (factor) before they can access the service/platform in question. The first factor, of course is the password. The second factor could be something like a One-Time Password(OTP), a biometric authentication measure or a hardware-based authentication device like Yubikey. For online services, Time-based OTPs are most commonly used as they are the easiest to implement.

While this certainly increases the strength of the authentication mechanisms on the website, it still does not deal with basic issue here. Even with MFA enabled, we need to deal with the issue of creating, remembering and storing passwords securely. In theory, you could add as many authentication factors as you wanted to, but that is neither practical nor feasible. Can you imagine having to enter a password, an OTP and get a retinal scan done before you can see pictures of your friend’s cats on social media?

Fret not, for there is a solution which ensures that authentication is secure without making you jump through hoops before accessing your data – Magic Links.

What are Magic Links?

Magic Links are a passwordless authentication mechanism. When a website implements a magic link-based login, the authentication process is simplified:

  1. User enters their registered email address on the login page.

  2. An email containing a login link is sent to the user.

  3. The user clicks on the link in the email

  4. Voila! User is signed in to the application.

This method of authentication ensures that users can securely login to the service without having to worry about pesky password policy requirements or having their passwords leaked in data breaches.

Thus, a magic link-based login makes it easier for users to login, while enhancing the overall security of the application and the users’ data.

Implementation

Here’s an overview of how magic link-based login can be implemented, in the form of pseudocode:

function createLink(user) {
  token = generateRandomString(); 
  saveToken(user, sha256(token)); // The hashed token is saved to the user's entry in the db 
// Now we create the magic login link that will be sent to the user's email loginURL = `https://yourapp.com/login_endpoint?token={token}`; }

When the user receives the email and clicks on the generated login link, the app receives the login query:

function Auth(req) {
  params = req.parse(); 
  token = params[token]; // Extract token from query parameters
  hashedToken = sha256(token); 
  user = matchToken(hashedToken); // Search the db for entry with hashed token
  
  if (user) {
    user.authenticate(); // If the entry exists, the user is authenticated.
  }}

In case the user doesn’t exist, no authentication happens.

With this increased ease and security of user authentication in mind, we at DeTaSECURE have implemented a passwordless Magic Link login system for GETSecured which allows you to access your account without worrying about having to remember yet another password. For more information on how to login to GetSecured, check out the video here:

Still worried about your passwords getting breached? Say goodbye to all your password woes with GETSecured. Head over to app.getsecured.ai today!

Useful resources:

Anshul

Anshul is a cybersecurity analyst at DeTaSECURE. He has helped multiple organizations secure their digital assets as a security professional. He holds certifications like CEH and AZ-900. You can reach out to him on LinkedIn.

Leave a Reply