As published on

Yesterday’s concept of ‘strong passwords’ has become today’s bad joke, since passwords are not cracked any more, they are simply harvested by means of fake phishing sites or Trojan spyware planted on the user’s PC. Against these widespread and fastest growing threats, the cryptographic strength of passwords has become irrelevant.

Many organizations continue to implement password policies based on yesterday’s thinking. Once upon a time, discussion about passwords was all about cryptographic strength. For example, if an ATM PIN consists of a sequence of four digits then there are 104 possible PINs to be tried by someone trying to crack the log in. Small search spaces were deemed to be unacceptably risky, so policies were implemented to make large search spaces mandatory. To reduce the risk further, users could be forced to change their passwords frequently. Thus, password policies such as the following were introduced:

  • Passwords must be at least eight characters long and must consist of a mixture of letters and numbers
  • Letters are case- sensitive
  • Password change will be enforced at the end of each month

This kind of policy makes perfect sense if the main threat to identity access security is brute force password cracking. However, it is not, and it has not been since the invention of the ‘three strikes and you’re out’ policy which only allows a maximum of three failed login attempts before locking an account down.

In the context of three strikes and you’re out, it makes little difference whether a password search space is 10 or the 628 mandated by the password policy above; in either case it is overwhelmingly probable that any three ‘brute force’ login attempts will fail. Thus, the password policy does nothing significant to strengthen the identity access security, but it does make it harder for the user to choose memorable passwords and this is compounded by frequent enforced password changes.

The longer and more arbitrarily structured a password is, the less memorable it will tend to be. The less memorable the password, the more likely the user is to write it down.

Online service providers have concentrated on strengthening the defenses of their own systems, but many of today’s identity credential thefts take place outside of these defenses. For example, in phishing exploits, the user’s login details are stolen during an interaction in which the genuine service plays no part. In Trojan spyware exploits, the theft happens locally on the user’s PC, over which the genuine service has no control.

For these reasons, many service providers have given up on the possibility of preventing credential theft and have instead directed their energies towards ‘curing’ the problem of stolen credentials, e.g. by deploying risk analysis systems that try to spot suspicious behaviors. These are inexact by definition and inevitably allow some criminal activity to occur.

However, we don’t have to be restricted by yesterday’s limitations. Today there is no good reason why service providers cannot protect their users by deploying credential systems that place credential theft somewhere on a scale between very difficult and impossible. One-time password generating tokens or smart cards are well known and can be highly effective, but they also involve significant capital outlay and logistical overhead. They may be appropriate for some applications but certainly not for all. Biometrics and AI solutions have become more widespread.

However, many of these options still don’t make it easy for the individual – the user needs a device and often still needs characters from a pre-defined keyword.

Service providers can be very nervous of being seen to change anything in the user’s login experience. They opt to invest massively to buy partial protection systems that try to fix credential thefts after they have happened, because this can be done less visibly to the user. However, for a fraction of the cost, these identity risks can be effectively eliminated using methods that users have been found to accept readily. There are novel solutions, for example innovative visual authentication solutions, that requiring no special user training and that provide highly effective protection against all current credential theft exploits, including phishing and Trojan spyware attacks.

The identity access threat landscape will keep on evolving and there is no silver bullet to tackling phishing. A sensible anti-phishing strategy will implement multiple layers of protection. Starting with a strong authentication mechanism that makes phishing – if not impossible – but difficult must be part of this layered approach.