DEV Community

Cover image for Passwords are not secure! The solution for developers
Nishant Upadhyay
Nishant Upadhyay

Posted on

Passwords are not secure! The solution for developers

The Problem
WHEN THE COMPUTER security company Hold Security reported that more than 1.2 billion online credentials had been swiped by Russian hackers, many people were worried — -and justifiably so. Hold isn’t saying exactly which websites were hit, but with so many credentials stolen, it’s likely that hundreds of millions of ordinary consumers were affected.
Some of these may be incredibly complex passwords — -with lots of jumbled numbers and symbols. And some may be incredibly simple — -using just the simplest of English words, like, say, “password.” But after the hack, most all of them have left their users vulnerable to attack. According to Alex Holden, Hold Security’s founder, the “vast majority” of the passwords he uncovered had been stored in plain text on company servers.
What this shows that a complex password isn’t necessarily a secure password. As the wired have written before, password systems have a very annoying way of putting most of the hard work onto the shoulders of the users. You’ve got to mix up a jumble of numbers and letters (some in capitals, please) and special characters. Some passwords time-out after 90 days, forcing you to reset them. But that doesn’t mean they’re that much safer than simple passwords.
Some of our ideas about passwords date back to the 1980s, when the National Institute of Standards and Technology came up some guidelines for creating secure passwords for local area networks. Back then, they’d mail them out to interested computer security types via U.S. Post. Now, NIST is trying to help the U.S. move beyond the password, says Donna Dodson NIST’s chief cyber security advisor. “Putting the burden of security on the end-user and making it more complex just doesn’t work,” she says. “The security has to be usable for the end-user. Otherwise they’re going to find workarounds.”
In some situations, a complex password can help you. But in others — -like when the company holding your password stores it in plain text, without encrypting it — -that complexity is meaningless. And some passwords may seem complex, when they’re actually pretty easy to guess. They can trip you up, even if they’re stored using cryptographic techniques, when someone hacks into the machines that they live on. The lesson here is that system administrators — -the people who oversee all those password rules you have to follow — -need to shoulder a bit more of the work. They need to better understand what makes a secure password — -and how passwords should be stored.
“Everyone is confused in this space,” says Cormac Herley, a Microsoft researcher who’s been studying passwords for years. System administrators will lay down rules for passwords but often, “we don’t know half of why we’re doing this stuff.,” says Herley. And they may not realize they should be spending their time securing systems in other ways.
Either way, pinning your security on an insanely complex password is a fool’s wager. Just ask the people running the airline, travel and social networking sites that got hacked by Alex Holden’s Russian hackers. “Why are we burdening users with demands to chose stronger and stronger things with the goal of withstanding increasingly sophisticated guessing attacks when 1.2 billion credentials are just spewed from servers that are improperly protected,” says Herley. “That seems like a big waste of effort.”
The Solution for Developers
The solution's are ranked on basis of how easy it is for developers to implement:
Brisk: Brisk is an upcoming platform which would allow developers to ditch passwords without putting a lot of load on their system they would just have to make a simple API call and hear the response, that’s all. Join the first 1000 waiting list here.
Social logins: Provided by most of the big social networks which allow their existing users credentials to be shared, but it comes with its own set of problems such as user privacy and not all users would want to link their account to a social network or be willing to create a new account on a social network for just the sake of using the service.
Bio metrics: These are the most scarce form of authentication and depends on device to device.

Top comments (3)

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt

Good to try to read, but you should really learn how to Markdown.

Collapse
 
thelightninghero profile image
Nishant Upadhyay

thanks for the feedback and sorry i reached to you so late. I will make sure I do it correctly.

Collapse
 
baddate profile image
SMJ

Bio metrics is not safe sometimes.