The Economics of Passwords
This is an opinion piece by Moses Hernandez. The Opinions Expressed on this essay are solely the opinions of Moses Hernandez.
Every once in a while I get a great delight in teaching a class and having to go over general security topics from the quintessential attacker stand point. Anyone that has ever taken a class with me knows, I can be a bit animated at times. One of the topics which we covered in my last class has been a topic that has continued almost all of the years in which I have been teaching this class; the economics of passwords. We use passwords primarily for one reason, they are exceedingly ’cheap’. They are economically viable mechanism to conduct authentication of accounts in a highly distributed environment. This is the supposition we are given. In true ‘Freakonomics’ style however, I want to challenge that idea. Are passwords cheap?
This of course has been some what more of a pronounced subject lately as any since the news hit this week with Hold Security coming out and saying that a particular Russian gang has compromised over 1.2 billion identities. I won’t get into the politics of whether this was media hype or reality. If we are to take it at its face value, according to the estimates we have, the figure of almost 10% of the internet being stolen seems a bit too high. Consider this counter, that’s plenty of ‘things’.
To understand how ‘cheap’ passwords are today, we need to understand why are passwords still in use today? There are alternatives that could be used, but we must also remember that there are people who require the use of passwords in today’s world to access the internet as a whole. Would a device, a physical device, like a cellular phone, physical hardware fob, or some other authentication mechanism cause a hidden, or harmful ’tax’ on nations and people whom internet access is seen as an economic vehicle? The Internet has created new economies, one in which emerging markets can be economically viable. Creating a large enough barrier to entry would be equivalent to taxing connectivity, which could have many economic consequences.
Sitting here in my office I look down and consider the fact that I have an iPhone to my left in a cradle and a few Yubikeys that I give out from time to time as prizes. These are rather inexpensive items in the economy I am in currently. The iPhone is subsidized by increasingly more expensive data rates from carriers while the Yubikeys run in small increments of 20-25 dollars. In the economics sense of the word, I can put 20 or 25 dollars on a gift card and go to Starbucks or I can use my Yubikey.
Africa is a country which has leveraged technology to enhance its Mobile Payment system. The country of Uganda leads all other African nation and it uses Mobile Payments as a way to serve the unbanked and the underbanked. A decade ago, people would drive from town to town, or from a place of work to a home town on a bus with a satchel of money. In todays ‘technologically advanced’, African society they can move money digitally through the use of ‘SIM’ cards. They use a ‘sneaker net’ because they lack the ability to transfer digitally the currency over the internet. This becomes an interesting situation as we talk about the economics of passwords because eliminating the use of passwords or making them more ‘expensive’ would necessarily be a new barrier for the people of this continent to come online.
Why would we be so interested in solving the password issue, or at least researching it? One of the most interesting things about reviewing the use of something ‘cheap’ like a password is exposing whether we are actually saving money by using a systems like this. Password use, abuse, and fraud, could prove to be more expensive if it hides economic disincentives in work effort by consumers, work effort by developers, legal investigations, and other hidden forms of economic taxes. All this without taking into account the economic loss faced by other factors such as the legal cost of a breach, the loss in man power during a breach, media and PR work efforts, and overall monetary loss of what was ‘stolen’.
To evaluate passwords, what options have we designed today?
- These are the cheapest of the options we have today. The amount of effort it takes for a developer to push a string value from a form into a database and store it is next to nothing. They by far dominate the market. They also are completely backwards compatible. When you consider how Google Authenticator works, you have to default back to a password to interact with a Google Service that cannot take a 'two-factor' style password, such as Chat or Mail Clients (not webmail). The default method is to fall back to a randomly generated 16 character password. What problem does this really solve? Sending a password over an environment that is not safe is now done because it no longer can be captured and reused. If you enable the 'App-Specific' password functionality, you have a backdoor to your account with a password. The cost of 'training' someone to use this system is $0.
- Two-Factor systems with One Time Passwords
- Two Factor Systems are now available in several flavors. One of them is the traditional model that was Pioneered by the RSA company. The idea is that a 'seemingly' random string of digits is used a passed from client to server would solve the password replay problem. Some two factor systems have flaws. For example, the RSA Tokens have a seed value hard-coded into each Fob. This means that if the Fob is lost it could potentially be used to re-create the stream of text that could be used. A 'salt' is used to attempt to prevent this from happening. That salt is a 4-8 character set of number that follows the One Time Password String.
- Certificates on Clients
- Certificates on Clients can be used to try to provide a new level of authenticity for users. The Certificate itself does not replace the password, which is a novel concept. The passwords can still be used, but the Certificate can be presented to ensure that someone is 'who' they say they are. There are both technical and non-technical challenges to the Certificates. First, the actual Certificate Chain can never be 'invalidated', which it in itself will be 'challenging'. The ability to check for a valid certificate through the use of OSCP has its unfortunate issues with scaling. Secondly, getting a certificate onto a device is potentially challenging. In an enterprise environment where there is strict control over devices and authentication this can be accomplished. In a highly distributed environment like the Internet, this can be a challenge. If a certificate is used non-universally, as in one per website, there will be a large store on people's computer. If one is used ubiquitously such as one per device then all websites must trust other chains. The cost of actually leveraging a certificate could be quite high also when taking into consideration that users swap devices frequently today. Do you put the same certificate on a phone and a laptop? Different ones? Do you always new ones? How many does a single user need? If the cost implementing a single certificate is say $1 per internet user, do we need to spend billions in this effort?
- SMS Based Two Factor
- Another economically changeling schematic. SMS is still today a chargeable item. Each SMS message can cost several cents. A very busy website could be incurring a considerable cost for the owner of the site as well as the user of the site. This is not unlike the charge a credit card payment operator would be incurring for using the card interchange system. The biggest challenge is that unlike interchange it is not an additional fee within a charge model, it is a new fee. These fee's will be hardest absorbed by the poorest countries where SMS texts wouldn't be small fractions of a days salary but large fractions. For example, if you consider the recent Ebola outbreak in Sierra Leon, a single SMS could be 10% of someone's daily salary. That is too high of a barrier.
- Biometrics while interesting have one major flaw at the moment. Most biometric devices store your information as a string of text. This information is part of you. For example your iris or fingerprint, and while this may seem secure, if you ever have something compromised such as this sting, can you remove a finger? Do you use another finger? What happens after 10 compromises? These challenges haven't been quite solved yet. If you look at facial recognition systems, these systems also have some potential problems. Faces are not static, they actually change over time. The most sensitive facial recognition systems may have someone 're-enroll' their face several times a year.
- Password Vaults
- The idea that each web property has a unique username and password components. Since no single website has the same password from one site to another, only a single identity on a single site could be stolen. These also have the ability to change password on your behalf if the system is 'compromised'. Some of them have been recently in the news as not being 'secure enough', but these seem to be a somewhat viable option. They do have some issues, the encrypted database can be stolen for example. They also can be cumbersome when you are not using your own equipment but a mobile phone or some other 'browser-less' system.
Taking each of these into account, there are a myriad of options and a myriad of potential solutions, but before we consider each one, consider that a small, simple, passphrase has a behavioral component. Everyone that has used a computer on the planet understands what a simple password is. Training people, no matter how simple the concept, has an economic cost. The cost could be calculated in time instead of economic monetary calculations, but one of the starkest things to consider is that the cost of continuing down a model that is broken will also lead to loss in fraud and other criminal aspects.
Is changing the way that websites work with different authentication schemas economically feasible? First consider the amount of cost a developer would take to implement these systems in your environment. Lets say that the amount of effort to change a ‘website’ to allow user authentication over a different schema at 120-240 hours. This would be a team of 3 developers each working a week. Lets also say that the average cost of that labor at a simple round $100 an hour rate. We have just ‘upped’ the cost of website at about $10,000-$20,000. If we are to believe some of the estimates that a Minimal Viable Product (MVP) would be in the $50K to $300k range. Does increasing cost by 3% to 10% for many web startups seem a legitimate way to do business.
One alternative is to offload the authentication schemes to 3rd parties like Facebook and Google. This however has drawbacks such as vulnerabilities in the authentication schemas. It also has questions such as when a breach occurs that involves two parties such as yourself and Facebook, who leads the investigation? Who is to ‘blame’ for the loss of identity information? If it is not Facebook who is providing the authentication then how does one leave themselves protected from liability?
Finally there is the ‘economic’ cost of resetting passwords. Consider that the median american’s salary is 50k or about $25 an hour. If it takes 10 minutes of an american’s time to reset their password across 10 web properties once a year, this is 100 minutes a year in which there is a ‘time sink’ or a negative economic impact, which could cost almost $42 a year from each american. If 100 million americans are affected every year (a staggeringly high number), is this an economic loss of $4.2 Billion Dollars? The number seems high but could passwords truly have this large of an economic impact? Is a 100 million users and passwords too high? Are 10 web properties too high? Consider this breach in 2013, adobe had 38 million identities stolen. These 38 million identities, would they average $2.50 per user to reset their password? Is that almost $100 million dollars in consumers time?
Do you have any comments? Please provide them below.