Alphanumerics: Security's Weakest Link

You have heard me say before that alphanumerics are the weakest link in any authentication system.  Some of you might ask why I would criticize the most widely used form of a Knowledge Factor in user authentication (see blog entry: Clarifying the Three Factors of Authentication).  Well, this article explains our position on passwords and PIN codes, why they are so vulnerable and why you should not lose hope.

A chain is only as strong as its weakest link, so let’s think about this time-worn analogy as it applies to multi-factor authentication.  NIST defines all categories of authentication as three distinct “factors”: tokens, biometrics and secrets.  The latter, secrets, are things you memorize: typically passwords, PIN codes, your favorite color, your first dog’s middle name, you get the point.  These can all be represented by alphanumerics, letters and numbers, and are frequently shared whenever you register your identity for an email address, bank account, Facebook or Google account etc.  You type the information, they hold onto it in a data file in case you forget your other alphanumeric password.  When you do forget your password, they ask you the question and compare your answer to the one in their database.  But you already know this.  What you might not realize is that those databases were hacked for their credit card information, passwords, PINs, your first dog’s middle name, and this is all alphanumeric data.  Might sound obvious, but this is exactly the knowledge factor data that hackers stole and used in 2015 to break into the email accounts of:

-CIA Director John Brennan

-FBI Deputy Director Mark Giuliano

-US National Intelligence Director James Clapper

-Former Secretary of State Hillary Clinton

-etc, etc, etc.

The hackers are proving a point; everyone is vulnerable to credential theft as long as we use alphanumerics.

Now, let’s look at this with a slightly different perspective; what if this data, your secrets, were non-alphanumeric?  OK, meaning not your typical letters and numbers: not your dog’s middle name, street you lived on when you were 10, not readable information that enabled you to reset your email password (which is exactly how 3 of the 4 people above got hacked).  I will tell you that those people would not likely have been hacked.  In fact, if we add up the top 5 consumer data breaches of 2014 (Adobe, eBay, JPMorgan, Target and Home Depot) we could have saved a lot of trouble for the 499 million people whose personal data had been compromised such as names addresses, phone number email addresses, credit card numbers, passwords, etc.  Companies in the United States lost $40 billion in 2014 due to employee misuse (like sharing) of login credentials; we might have greatly reduced, if not eliminated that.  Further, Mr. Snowden would have had a much more difficult time stealing the globally sensitive data that he did in 2012 (industry experts have in fact pointed out on several occasions that had SensiPass been the used authentication method, the Snowden breach and leak could never have taken place).

Nearly every instance of a knowledge factor (a shared secret) is an alphanumeric password, dare I say likely 99.99% of alphanumeric data is a prime target of cybercriminals and terrorists, so what has the industry mostly been doing to address it?  We make them more complicated and make you change them every month, so some people actually write them down in a book or put them in a spreadsheet (no, I know not you), which makes them no longer a secret, but a token (see that blog "Clarifying the Three Factors of Authentication").  The problem is, criminals and technology are getting smarter, and they can keep up with password-itis; we can’t win.  As long as there are alphanumerics in the authentication system, it will be the vulnerable and targeted point of entry, because they are static.  

What do I mean by static?  Today your password is “passworD123”, and unless you change it, next week it will still be “passworD123”.  What the hacker steals, is good until you figure out it is stolen and change it, but by then it is probably too late.  Biometrics are less static (they are dynamic) than alphanumerics, but that varies by biometric type and a few other things, but that is for a future blog article.  So, we replace passwords with biometrics, right?  Perhaps add the device ID or a one-time password for 2FA?  But that is removing the knowledge factor, an entire category of authentication (33% of our identity tools) and just avoiding the problem.  

SensiPass took a different approach.  We replaced the static knowledge factor with a simple, secret interaction to create a dynamic knowledge factor that is nearly impossible to compromise.  We have removed the vulnerabilities of static alphanumerics, and integrate the best available biometric technologies for 3-factor authentication in 3 seconds without passwords or PIN codes that you can securely use on your smartphone.  Simply elegant, sensible authentication.