What is your birth date? What is your daughter name? When were your kids born?
Maybe... What is your favorite Color, born town? Mothers name?
I can ask all of these questions and many more, and I will receive answers if I ask them correctly during a conversation.
Would you answer? I believe so, why not? We are having a friendly conversation and this are the kind of questions friends ask each other.
Ok… so what is your point? This is probably pops up to you brain, when I say this.
Well, look at those questions again, and now think about your password! The one you use at work, the one you access your bank account or Email.
I think you have a portion or entire password combined with information, contained in the answers to the above question.
Maybe you took it a step further and added numbers, special characters, this is good but it is not good enough.
In order to break ones password, there is a work factor to be calculated. Well if I know nothing about you, then the work factor is big. But the more information I have about you, the work factor becomes less and less harder.
What would be your opinion on a password free enterprise?
Passwords are here to stay, but merely as a first line of defense. It is quite easy to introduce a 2nd factor nowadays. Advice: steer clear of overly expensive hardwaretokens that require you to buy licenses.Some manufacturers even force you to buy a new hardware card / token each year. Also stay clear of solutions that require special hardware drivers for various platforms. There are are sufficient good generic, open standard based 2FA solutions, e.g. see RFC6238 / Google authenticator. In olden days I have worked with the Yubikey, which is a bit more expensive, but works quite nicely too. Still going strong.
I think the future may lie in user behavioural analytics. The general problem we have is that generation z is digitally dependent and is bringing that mentality into the workplace. Things are going to have to be easy to use/access AND secure. No trade-off between the two. Back in my day it was quite easy - I was happy to go through the pain of convoluted 30 character complex usernames and passwords because
a - I had to (it was the only was to access the service I needed)
b - the complexity somehow made me feel that the people on the other end were taking security seriously
But that won't apply any more. It certainly doesn't cut much ice with my teenage kids.
So one option is to look at what 'normal behaviour' is and then try to apply a multi-layered approach to identity and authentication in line with risk. So if I am accessing a low risk service on a known and registered device that isn't rooted/jailbroken/infected with malware, at the time of day I usually access that service, from my usual IP address then why ask for a password at all? However, if I'm doing something different - like using a new device or accessing a high-risk service or coming in at an odd time or from an odd place then I might get a bit more challenge.
There certainly seems to be a move towards authenticating a trusted device and then leaving the device to authenticate the user through inbuilt biometrics (fingerprint readers on smartphones are now commonplace) and given the way that people treat their phones that is logical
From some work I'm doing just now I see that lots of kids lose their passports on a night out (they have them to demonstrate proof of age) but always seem to come back home with their phones...
It's interesting to see how the mobile telephone has evolved from a radio to a tiny laptop and now to a digital identity card. Throw in a bit of blockchain to hold some identity attributes and we might just see the end of the password but I won;t be holding my breath just yet.
I believe passwords are on their way out and making room for passphrases. Length always beats complexity when someone is attempting to brute force a password.
I would like to see a 14 character, letters and numbers password requirement with the option to add special characters/symbols. The math behind cracking BabyElephant34 vs Gr#@t0ne is drastically different.
According to howsecureismypassword.net, BabyElephant34 would take 10 million years to crack with one computer compared to 9 hours using Gr#@t0ne.
I think passwords are like AV - a good measure of defense for the passers-by - ONLY. Passphrases have long been known to be more secure due to one factor - length. For example: Kerberos is vulnerable to the length of the password, not so much the complexity. In my humble opinion, the future is this: a login algorithm that uses something you have (the device itself with fingerprint or facial recognition), something you know - the passphrase (a favorite verse from a song or passage) and something you have AGAIN.. this is where 2FA comes in. The process would look like this: you login with your biometric creds and by way of the algorithm, these get appended to you passphrase, which is then confirmed by your 2FA device which carries its own security for accessing.
If your stuck with passwords then you should think about using a password filter.
I developed one for AD/Windows here password_filter_dll that will ban dictionary words and common leet speak substituted derivatives.
I also developed a usbstick plus an app on my phone/watch that can communicate with it, that would login/unlock your pc allowing for easier use of uber long passwords, I have not released this as it was just a POC.
I also had in mind to develop a windows credential provider that would talk via a cloud service once intent to unlock was shown to a phone app using TOTP tokens for integrity that would pop up on the users phone/watch to which they could approve/deny the request. I have not invested the energy into this as of yet. I believe you can find vendors that do this already but nothing open source.