Authentication is the process of proving you are who you say you are. Simply put, it is a technique to prove to a system or application that you are the right person at the right time. This means that credentials must be presented and, more often times than not, a password (or passphrase) is involved. However, before we dive into the dos and don’ts of creating strong passwords, we must first understand the problems associated with single factor authentication.
Strong authentication has many definitions and my favorite is, “Something strong you have and something easy that you know.” We are fans of strong authentication whenever possible, using tools like TOTP (time-based one-time password), push notifications or even certificates. However, a near universal foundation for strong authentication remains a username and password. So, let’s talk about promoting better passwords (hint:passphrases), and how leveraging immediate user feedback can be essential.
I’m proud of the work our team (shout out to @jareddellitt and @jeremiahwingett) has done to improve upon the practices of choosing a strong password. This means valuing a password that’s hard to guess or brute force. It is often believed that the strength of a password is measured by a combination of length and complexity. A reasonable foundation, but does this promote the right behavior? Historically it has not, as evidenced by our adversaries. User behaviors are somewhat predictable and may reflect easily guessed password elements. As a Wisconsin native and avid football fan, it makes me cringe to think of how many passwords have a base of Badgers, Packers, Rodgers, or even Favre. It isn’t lost on our adversaries that seasons and significant dates, along with company, pet and children’s names, are often chosen as the foundation for passwords (and yes, they have pre-built attacks to substitute the @ symbol for the letter a, the number 3 for the letter e, etc.). A solution to this problem: a smart password meter which provides real-time feedback to the end user to promote appropriately strong passwords.
With the goal to promote and reward users for strong passwords, the team has integrated the zxcvbn library from Dropbox, which includes this wonderful technical write-up. It is a password strength estimator which provides real-time feedback on the strength of a user’s password. The front and back-end systems validate the strength is appropriate and the user is rewarded with a strong password. The library uses a combination of pattern matching, commonly chosen passwords (~30k), common names, surnames, popular words and common patterns. For example, a long passphrase easily trumps a normally compliant 8 character password with special characters because it uses simple replacements any adversary will try. This bases password strength as a combination of factors (entropy, crack time, score), not just a rigid regular expression alone:
The change in user behavior and better choice in passwords doesn’t solve all problems with authentication. We remain believers in strong authentication using 2FA, push notifications and combinations of other factors in addition to good passwords. Thank you to Dropbox for open sourcing their library and helping keep users safe through encouraging the right behavior.