GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

We all rely on passwords. For better or worse, we will continue to use passwords to access our computing devices and digital services for years to come.

Related: The advent of passwordless access

Passwords were initially static. They have since been modified in two directions: biometrics and dynamic passwords.

Here is an overview of the passwords we currently use and their respective security limits:

Static passwords. This traditional form consists of letters, numbers and symbols. It is possible to calculate the number of all possible combinations, or NAPCs, of any static password. Therefore, it is theoretically possible to guess the correct combination of any static password from a single attempt, although the probability of success is low.

The most important point is that any static password can be cracked by the brute force method. With the rapid advances in computer technology, it has become possible to crack static passwords using, essentially, brute force. This led to two branches of changes: biometrics and dynamic passwords.

Biometrics. The equivalent of a password can now be derived from our physical attributes such as fingerprints, face, voice tracks or the iris of the eye. However, the digital representation of biometric data is nothing more than a complex static password.

Once this biometric data is compromised, there are only a limited number of options to modify it. We only have two eyes, one face and ten fingers. There are therefore very few possibilities for modifications and/or constructive developments.

Biometrics should be used as a username, not a password, because biometrics uniquely identify each person.

Dynamic passwords. This refers to static password usage patterns, where each password in that pattern is only active for a specific time interval. In other words, dynamic passwords are changeable static passwords.

Stukanov

Dynamic passwords must be managed securely. Both online and offline password managers come into play here. However, password managers introduce the problem of risk concentration, or putting all your eggs in one basket.

Password managers store passwords in an encrypted file called a vault, which is a target for attackers. Attackers can use brute force method to crack this safe. Every year, researchers discover weaknesses in these password managers.

Dynamic passwords. These are parametric, dynamic, recoverable, generated on demand, pseudo-random passwords that are not stored in electronic or paper form.

The most important property of dynamic passwords, or DPs, is that they do not require storage on electronic devices or on paper. They are generated on demand when users need them.

It is not possible to find a black cat in a dark room if there is no cat in that room. For this reason, dynamic passwords are more secure than dynamic passwords stored in a password manager.

When we register for an online account or request a password reset, we usually receive a new password by email. However, if an attacker is able to intercept and read this email, they can compromise our account.

To increase the security of our passwords against such a scenario, we can use multiple channels, instead of a single channel, to provide the password.

Multi-channel password delivery systems. This refers to the use of multiple communication channels to deliver passwords to users. MCPDS systems significantly increase the security of passwords against attacks on communication channels.

Multi-factor authentication methods, or MFA, fall into this category. A popular form of MFA is for a user to obtain an online password via email and a security code via text message to a mobile phone. These two pieces of information: the password and the security code, can be considered as the two parts of a dynamic password, necessary to access the online account.

Artificial intelligence systems. Some large companies use artificial intelligence systems, or AIS, to identify characteristics that can be used as passwords in authentication procedures. Such systems do not require any effort from the users.

AIS automatically collects all relevant information to determine the password and submit it to verification systems. The authentication procedure is hidden from users.

However, the password information is received from the AIS, not from humans. AIS have no emotions and therefore cannot be attacked by social engineering methods.

But AIS has the same drawbacks as biometrics; AIS algorithms are susceptible to compromise.

About the essayist: Igor Stukanov is the inventor and author of several books on “dynamic passwords”.

*** This is a syndicated Security Bloggers Network blog from The Last Watchdog written by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-understanding-the-security-limits-of-the-static-and-dynamic-passwords-we-rely-on/

About Roberto Frank

Check Also

OnePlus 10 Pro: long-term review

Over the years, OnePlus has managed to transform itself from an emerging player into a …