The Problems with Biometrics for Authentication

The other day I came across a blog post by someone lamenting a common problem we all have these days–password management. The blog linked to an article extolling the virtues of using biometrics either as a complete substitute for passwords altogether, or as part of a two-factor authentication system.

It sounds like an awesome, appropriately futuristic idea–instead of having to remember some long password, I’ll just look into my webcam and use a retinal scan instead of a password to prove I am really who I say I am. In fact, this would be a disaster.

Consider how passwords work today. A system asks you to create a password and you dutifully tell it to use “password”. The system on the other end then creates a hash of that password. A cryptographic hash is a one-way function that transforms “password” into “7!aceldfg”. Because it is a one-way function even if I have the hash, I cannot easily determine that “7!aceldfg” is the has for “password.”

In reality, hashing is vulnerable to some attacks and so a smart website will salt the password hash. All this means is that when you type in “password” when creating an account, the website adds additional pseudo-random data to your password. So a website might convert “password” to “password12345” and then hash that. The website then stores both the hash and the salt value.

The benefit of doing this is that it increases the amount of work that an attacker is going to need to do if they compromise the website and gain access to the password file.

So imagine you create a username and password for your bank account, and the attackers gain access to the files containing the usernames and passwords of all the bank’s customers. Maybe the bank had very good security and they encrypted the password files in addition to hashing and salting the passwords.

You know what, though…just to be on the safe side the bank is going to ask you to change your password anyway. And you are once again reminded why you should never use the same password on multiple sites. Maybe you were reusing the same passwords and now you go and finally fix that so you’ve got different, secure passwords on all your accounts.

Great.

Now imagine the bank instead uses a retina or fingerprint scan. You swipe your finger or stare into a webcam, and data gets sent back to the bank which compares it to the hashed, salted version of the data it has on file for your eye or finger and then you get access to your account.

Until today when hackers managed to penetrate the bank’s security and access the user and authentication data. Now, your fingerprint or retinal scan data has been compromised. How do you propose to alter those?

As one biometrics news site sums it up,

Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual’s biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.

Password Cracking

Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.

The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.

Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.

Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.

I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:

1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.

2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.

There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.

3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.

Hash It! for Android

Hash It! is an Android app that replicates — and is compatible with — the Password Hasher extensions for Google Chrome and Firefox. Create a master password key, and Hash It! generates a password for each site you visit based on the master password and the URL of the site.

An interesting approach to password management, though I’m sticking with Diceware plus KeePass.

And Now for Something Really Secure … One-Time Password Plugin for WordPress

The One-Time Password plugin for WordPress is probably overkill for most of us, but if you regularly need to login to WordPress from computers that you don’t control, this would certainly add an additional layer of security.

Jakob Nielsen Argues for Abandoning Password Masking on Websites

Jakob Nielsen makes the case against password masking — the convention of displaying asterisks or some other symbol instead of the actual characters typed in password entry boxes. Nielsen notes that password masking was originally implemented as a security measure, but questions just how much security it adds under the conditions most of us use the web,

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

Nielsen suggests adding a  check box so users could decide whether or not to have their passwords masked so, for example, users in genuinely public situations such as at a public web terminal could still choose to have their passwords masked.

Nielsen argues this is one case where going against convention would be beneficial, but I wonder if he’s done any user-testing of this. My suspicion is that the overwhelming majority of users will assume there is something wrong with a website when the password isn’t masked and thereby likely cause even more confusion.

The standard on mobile devices of not masking the current character but masking previous characters is a good compromise and is becoming so widespread it may eventually break down that convention, but for now its hard to imagine a site abandoning password masking wouldn’t create more confusion and anxiety in its users than the problem it would allegedly solve.