Entity Authentication – TLS Cryptography In-Depth

Disadvantages of password-based authentication – Entity Authentication

5.4.3 Disadvantages of password-based authentication

In the previous section, we learned of several disadvantages of password-based authentication related to password storage. It turns out that passwords have even more drawbacks related to usability, time invariance, and human psychology.

From a usability perspective, the user must be able to correctly enter the password and, thus, successfully authenticate themselves on the system with high probability. This is, of course, easy to achieve if the user chooses a short and easy-to-remember password such as iloveyou or 1234.

However, as the Have I Been Pwned (HIBP) online service [83] will tell you, iloveyou has appeared 2,330,348 times in past data breaches and is therefore an utterly insecure password; it is certainly in every password dictionary, and its hash value is in every rainbow table you can download from the internet.

Choosing a strong password, such as 0(a<*ZS>jBUvNLym?oIp8d!PN4, increases security but also makes it much more likely for the user to mistype while entering their password. This – as well as the time needed to enter a complicated character string – turns password-based authentication using strong passwords into a hassle for the user.

Moreover, strong passwords are not only error-prone and time-consuming to enter, but also difficult for humans to memorize. As a result, users either choose a short but insecure password or a complicated, secure one that they write down, preferably in an easily accessible place such as on a sticky note. This way, passwords get exposed to potential attackers in physical proximity, for example, in a co-working space.

Users also tend to choose passwords based on everyday words or popular phrases that they can easily remember. Many passwords therefore have low entropy and can be easily cracked using dictionary attacks, which we discussed earlier in this chapter [7].

Passwords can also be stolen using social engineering attacks, phishing emails, malware, key loggers, and man-in-the-middle attacks. According to recent statistics from the cybersecurity industry [142], nearly 98% of cybersecurity attacks rely on social engineering, the most popular method being to deliver phishing emails.

On a more fundamental level, many of the security weaknesses of passwords result from them being time-invariant. If Eve can trick Alice into disclosing her password – whether by using a social engineering attack, by eavesdropping on Alice while she enters it, or by cracking a leaked password file – there is nothing Alice can do to restore her security. Eventually, Alice might, of course, try and change her password. But even this might fail because Eve already has changed the password to something Alice does not know. In the instance of time when a password is compromised, its time-invariant nature immediately allows Eve repeated unauthorized access to Alice’s account [81].

Taken together, these drawbacks make passwords a form of weak authentication. The good news is that instead of relying on passwords, we can use cryptographic protocols for entity authentication that avoid most of these drawbacks and, as a result, offer strong authentication.