0

Understanding Password Authentication from A to Z

Authentication
Thierry Gagnon
Aug 31, 2023
Understanding Password Authentication from A to Z

Password Protocols and Standards

Password-based authentication protocols are established series of steps and processes that use passwords to verify the identity of someone accessing a service or resource. These protocols outline rules that help achieve the secure exchange of password data between two entities. Beyond protocols, there are also various standards and techniques that help to increase the security of password-based authentication. 

What is the Password Authentication Protocol?

The Password Authentication Protocol (PAP) is a method for transmitting and authenticating passwords over a network. PAP serves as an internet standard protocol that uses a two-way handshake to establish a link between client devices and servers. However, this somewhat outdated method does not have robust security as it sends passwords over the network in plain text form. 

PAP is just one password authentication protocol—here are some other common authentication protocols that are used today:

  • CHAP (Challenge Handshake Authentication Protocol): This protocol validates the identity of remote clients with Point to Point Protocol (PPP) servers using a one-way hash function so that the actual password doesn’t get shared over the network. 
  • OpenID: OpenID authenticates users with cooperating applications (known as relying parties) using a third-party service. This means that users can log into multiple apps or services with a single set of credentials from their OpenID provider.
  • SAML (Security Assertion Markup Language): SAML is an XML_based open standard for exchanging authentication and authorization data between two parties. This protocol allows a user to authenticate at one place (a centralized identity provider) and then get access to multiple apps or services (service providers) without having to re-enter credentials. The protocol relies on a trusted relationship established between the identity provider and service provider based on a secure token known as a SAML assertion. 

Beyond protocols, there are other standards and techniques that enhance the security of password-based authentication. 

Hashing and Salting Techniques

Hashing is the process of converting a password into a unique string of characters using a hash function. The hash function is just a mathematical function that takes input of variable sizes (like passwords) and converts them to outputs of a fixed length.  

Because a hash function is one-way, you can’t derive the original password from the hash, which helps bolster security when storing passwords as hashed values. This one-way functionality also explains why users need to reset passwords when they forget them—the hashed value can’t be used to retrieve the original password. 

One issue with hashing is when two users have the same password, they’ll also have the same hash. That’s where salting enters the equation. A salt is a random string that’s generated for each password and then appended (or prepended) to a user’s password before hashing. This means that even if two users have the same password, their hashes will be different because the salts are different.

Together, both techniques make it much more difficult for hackers to target passwords and more importantly entire password databases. In fact, hashing/salting makes it impossible for attackers to use a single rainbow table to hack a password database. Instead, each user has to be targeted individually, which is extremely time-consuming especially when dealing with slow hash functions like Argon2. This alone makes these techniques invaluable, but salting also protects individual user passwords on its own, proving  high entropy and ruling out attacks against commonly-used passwords.

Encryption During Transmission for Secure Authentication

Even if you securely store passwords using hashing and salting, they might be vulnerable when transmitted over a network, such as when a user logs in remotely to their workstation via a remote desktop connection. This is where encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) come into play by helping secure passwords in transit. Today, however, it’s important to note that SSL protocols are deprecated and no longer supported by most servers and clients. The same goes for TLS 1.0 and 1.1, with the internet having moved to TLS 1.2 and 1.3 for secure communication. 

These protocols scramble the data packet containing a user’s password into an unreadable format using a specific encryption key. Even if an opportunistic hacker manages to intercept data packets, using SSL/TLS ensures they can’t understand the data they intercept so that the user’s password remains unknown. 

Secure password management and storage

Secure password storage and management are both necessary to prevent unauthorized access to your systems and resources. Password management often focuses on users, but the user side of the equation is not the full picture. Aside from encouraging users to create strong and unique passwords, your systems should use up-to-date hashing algorithms, limit incorrect login attempts, and get regularly tested for vulnerabilities.

The Importance of Secure Password Authentication

In many contexts, passwords are the primary means of verifying user identities—they’re widely used in online accounts, email services, network logins, and probably the majority of your business applications. Passwords offer a straightforward way for your employees to access their accounts without the need for specialized hardware or complex processes that may get in the way of completing their daily work.

A strong password, characterized by complexity, length, and uniqueness, significantly reduces the risk of unauthorized access to your systems, data, and other resources. Robust passwords are harder to crack using brute force attacks in which adversaries systematically try various combinations to guess the password.

Advice about passwords often focuses on incorporating a mix of uppercase and lowercase letters, numbers, and special characters. While complexity can be good, longer passwords are arguably even more secure than complex ones. The time taken to crack a password by brute force grows exponentially with password length. It’s also generally easier for people to remember longer phrases or sequences of familiar words than complex combinations of characters, symbols, and numbers. 

However, common security risks persist with password authentication. Brute force attacks remain a considerable threat, especially when users choose weak, easily guessable passwords. Another significant issue is password reuse. Users often employ the same password across multiple platforms, exposing themselves to widespread vulnerabilities. If one account is compromised, attackers can gain access to other accounts using the same credentials. For this reason, along with the fact that most users find themselves managing over 20 passwords, it is important that users select unique passwords and consider using a secure password manager, as most users find themselves managing over 20 passwords.

How Password-Based Authentication Works

1. User Registration and Password Creation

When a new user registers for an app, they get asked to choose a username (or provide an email address) and create a password. Most modern systems require setting a strong password that complies with specific rules, such as a minimum length and the use of a combination of upper and lower case letters, numbers, and special characters. Hashing and salting techniques get applied to the selected password, and the output then gets stored in a password database.

2. Password Verification During Login Attempts

When a user attempts to log in, the system/app needs to verify that the provided password is correct in two steps. The first step, re-hashing, sees users entering their username and password. The system then retrieves the salt associated with that username, adds it to the entered password, and applies the hash function.

The system compares the resulting hash with the stored values in the password database. If the values match, the password is correct, and the user gets access to the system.

3. Handling Password Recovery and Reset Mechanisms

When users forget their passwords, secure systems offer mechanisms to reset them:

Reset Link/Code: The system asks the user to enter their username or email address. The system then sends a unique password reset link or code to the user’s registered email address or phone number. During this process, it is important to not give any indication that the username and/or email address exists in the database. Messages such as “If the email is linked to an account, you will receive a reset link” are better than those indicating that an account was not found, as these prompts would help an attacker figuring out what email addresses are in use.

Password Reset: The system prompts users to enter a new password (and confirm it). The system will then generate and store a new hash (and salt).

How Multi-Factor Authentication Enhances Password-Based Security

The previous three steps outline the basic flow of password-based authentication. However, passwords are still susceptible to cracking due to poor password hygiene or social engineering. A high-profile breach in 2022 saw hackers post offensive messages on Apple News by hacking into multiple accounts belonging to a single user at a media publication. The user in question selected “Pizza123”, an easily guessable password, and reused it across several accounts.

To mitigate the risk of only relying on passwords, multi-factor authentication adds an extra layer of protection. MFA requires the user to present two or more separate types of evidence of their identity before gaining access to their account. These distinct forms of evidence are drawn from the three factors of authentication: something the user knows (like a password), something the user has (like a physical token or a phone), and something the user is (like a fingerprint or other biometric identifier).

With MFA, even if a motivated threat actor cracks or otherwise accesses a user’s correct password, access to the particular account or system is not possible without another factor(s). MFA protects against phishing, keylogging, credential stuffing, and other cyber attacks that rely on obtaining a user’s password.

Still, with MFA it is important to note that not all factors are equal. For example, MFA reliant on SMS one-time-passwords (OTPs) are notoriously insecure due to the inherent risk of SIM hijacking. Additionally, possession factors connected to the internet also run the risk of being compromised by a remote attacker.

Ensuring Security in Password Authentication

Here are some tips to ensure security in password authentication:

Encryption during transmission:

  • Implement SSL/TLS certificates to establish encrypted connections between clients and servers.
  • Always use secure communication protocols like HTTPS to encrypt passwords during transmission over the internet.
  • Never send passwords via plain text emails or unsecured messaging platforms.

Strong password policies:

  • Enforce password complexity requirements, including a mix of uppercase and lowercase letters, numbers, and special characters.
  • Set minimum password length to prevent weak and easily guessable passwords like Pizza123.
  • Encourage users to create unique passwords for each account and avoid password reuse.

Password managers:

  • Promote the use of locally stored or self-managed password managers among employees to help them more easily generate and store strong, unique passwords for each account. (Note: Cloud-based password managers are another option, however, they run a higher risk of comprise as we have already seen with the recent LastPass hack)
  • Password managers can automatically fill in login credentials and reduce the risk of phishing attacks.

Secure password storage:

  • Store passwords using strong encryption techniques, such as bcrypt or Argon2, in databases.
  • Do not store passwords in plaintext or use weak hashing algorithms like MD5 or SHA-1

Advantages and Limitations of Password Authentication

Advantages of Password AuthenticationLimitations of Password Authentication
Familiarity: Users are accustomed to password systemsVulnerable to Weak Passwords: Users may choose weak or easily guessable passwords
Ease of Implementation: Widely supported and easy to set upPassword Reuse: Users often reuse passwords across multiple accounts, increasing the risk of compromise
Cost-Effective: Minimal infrastructure and hardware requirementsBrute Force Attacks: Passwords can be vulnerable to brute force attacks, where attackers systematically guess passwords
User Control: Users can manage their passwords and change them when neededSocial Engineering: Attackers can manipulate users into revealing passwords through social engineering tactics
Compatibility: Works with various platforms and systemsPassword Recovery Vulnerabilities: Security questions and email-based recovery can be exploited by attackers
Suitable for Low-Risk Environments: Sufficient for scenarios with minimal security needsPassword Storage Risks: Inadequate password storage practices can lead to breaches and data exposure
Multi-Factor Authentication Support: Can be combined with other authentication methods for added securityForgotten Passwords: Users may forget passwords, leading to frustration and account lockouts
Easily Resettable: Users can reset their passwords if forgotten or compromisedUser Error: Users may unintentionally disclose passwords, compromising security
Scalable: Can accommodate a large number of usersSingle Point of Failure: If a user’s password is compromised, it grants access to multiple services and accounts
Widely Accepted: Used across various industries and servicesDifficulty in Remembering Complex Passwords: Strong passwords can be challenging for users to memorize

Common Password Authentication Methods

Having covered some easy tips to bolster password security, let’s take a look at some common password authentication methods that we are seeing in the market, before presenting the most relevant use cases that passwords hold today.

2FA (Two-Factor Authentication) – combining a traditional username-password pair with an extra factor for improved security. Common examples are SMS codes, smartphone push notifications, and hardware tokens. 

Token Authentication – verifies a user’s identity by generating a digital token after their normal username-password credentials have been initially verified. These tokens are unique, encoded strings of characters generated by a server and given to the user for subsequent requests. Time-based tokens expire after a certain period of time while session-based tokens are tied to a particular user session, and they become invalid once the session ends.

Biometric Authentication – verifies a user’s identity based on unique biological characteristics like fingerprint and facial recognition. Biometric authentication is highly secure because it relies on unique personal characteristics that are difficult to replicate or steal. However, there are also challenges associated with biometric authentication. Privacy concerns are prominent because biometric data, once stolen, cannot be changed like a password.

Computer Recognition Authentication – Computer recognition methods like device fingerprinting involve collecting various data about a user’s device, such as the IP address, screen resolution, browser type and version, operating system, and even specific settings to create a unique identifier or “fingerprint” for that device.

The fingerprint serves as an additional layer of security when paired with traditional password-based authentication. When a user tries to log into a service, the system not only checks the entered username and password but also whether the device being used matches a known fingerprint associated with that user. If the device is not recognized, additional security measures can be implemented, like requiring further identity verification or blocking the login attempt.

CAPTCHAs – CAPTCHAs are often paired with password-based authentication to help distinguish between human users and automated scripts or bots. CAPTCHAs present tasks that are easy for humans but difficult for machines, such as identifying objects in images, deciphering distorted text, or solving simple puzzles. The main objective of a CAPTCHA is to prevent automated attacks, such as credential stuffing or brute-force attacks, where attackers use software to automatically enter many username-password combinations in an attempt to gain unauthorized access. 

Password Authentication Use Cases

Compliance with Various Security Standards and Data Privacy Regulations

Compliance with security standards is critical in many sectors for landing contracts with vendors or for simply proving that you take cybersecurity seriously. Data privacy regulations protect various types of data in different industries and regions, with the consequences stretching from severe fines to reputational damage.

For example, ISO/IEC 27001 stipulates requirements for an information security management system. These requirements include a guideline to enforce password-based user authentication for system access. 

The Service Organization Control (SOC) 2 framework sets criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. In the context of password authentication, SOC 2 requires organizations to implement and maintain stringent access control measures, including robust password policies.

The Payment Card Industry Data Security Standard (PCI DSS) regulates businesses that handle credit card transactions. One of the requirements for compliance is the use of strong cryptographic controls for password protection. It also mandates that businesses should implement a strong password policy, including password length, complexity, and change of passwords every 90 days.

BPO and Consultancy Companies

In business process outsourcing (BPO) and consulting firms, password authentication is commonly used to secure access to various systems, applications, and data. Given the nature of these businesses, which often involves handling sensitive information from multiple clients, strong security measures are crucial.

Many BPO and consulting firms now employ additional layers of security, such as two-factor authentication (2FA) or multi-factor authentication (MFA). This could involve the use of biometrics, hardware tokens, or software tokens in addition to passwords.

National Defense and Governmental Institutions

Password authentication is a crucial part of securing sensitive information within national defense and government agencies. As these entities deal with highly sensitive and classified information, strict access controls and authentication protocols are essential. Passwords are a fundamental part of these protocols and are often used in combination with other authentication measures for added security.

Password policies in these sectors tend to be stringent, requiring the use of strong, complex passwords, regular password changes, and no password reuse. Some agencies even employ password management tools that automatically generate and store complex passwords.

Malicious Programs Bypassing Endpoint Security

As a gatekeeper to your valuable IT resources, a strong password can effectively deter many types of attacks, including those from malware, spyware, and other malicious software that attempt to gain unauthorized access. These tricky malicious programs often bypass endpoint security solutions on user devices, where they lurk undetected trying to gain access to further accounts or resources. 

Certain types of malware may attempt “brute-force” attacks, which involve systematically guessing passwords to gain access to a system. Strong, complex passwords that are changed regularly make these types of attacks significantly harder and can provide an effective defense against them. 

How Are Passwords Stored?

To preserve data security and user privacy, secure password storage is essential. In this section we will explore the process of storing passwords in a secure environment, and how cryptographic hashing works and contributes to password security.

Password Storage in a Secure Password Database

  • User Registration: A password is selected by the user and provided to the server when they register for an account.
  • Password Hashing: The system utilizes a cryptographic hashing technique to transform the plaintext password into a fixed-size sequence of characters, commonly referred to as a hash value, before saving it in the database.
  • Salt Addition: Before hashing the password, a random string of characters known as a “salt” is added to increase the security of the hash. By doing this, it is made sure that even if two users share the same password, their password hashes will be unique.
  • Storing the Hash: Instead of storing the original password, the server instead stores this hash value (together with the salt) in the password database.
  • User Login: Users must enter their password to log in, which is then hashed once again using the same hashing algorithm and salt. The database’s hash is then compared to the one that was generated. The user is authenticated if they match.

Cryptographic Hashing Techniques for Database Security

  • One-way Functionality: Since hashing techniques are one-way functions, once a password has been created, it cannot be changed back to its original form. By doing this, it is made sure that even if a hacker gains access to the database, they cannot extract the password’s actual text from the hash.
  • Common Algorithms: Typical Algorithms SHA-256, bcrypt, and Argon2 are a few of the popular cryptographic hashing algorithms. SHA-256 is a member of the SHA-2 family. All are intended to be computationally costly to fend off brute-force attacks, while each has its advantages.
  • Handling Collisions: A collision in cryptography happens when two different inputs result in the same hash. Good cryptographic hash algorithms reduce collisions and ensure that each hash value is as unique as possible.
  • Regularly Updating Hash Functions: As processing power develops over time, some hashing methods may become weak. As a result, it’s critical to stay up to date on the most recent developments in cryptographic approaches and update hashing techniques as required.

Password Alternatives

Password alternatives are authentication methods that do not rely on traditional user ID and password combinations. Possession or inheritance-based methods are among these alternatives and include solutions like smart cards, hardware tokens, and biometrics.

Smart cards: Smart cards are physical cards that contain an embedded integrated circuit chip. The chip can process data and is used to authenticate the user. To access a system, the user inserts the smart card into a reader, often in combination with a PIN for an extra layer of security (two-factor authentication).

Hardware tokens: A hardware token is a physical device, often small enough to be carried in a pocket, that generates a one-time password (OTP) for authentication. The OTP can be used for a single login session or transaction, adding an extra layer of security.

Biometrics: Biometric authentication methods utilize the unique biological characteristics of an individual, like fingerprints, facial patterns, voice, or even retinal patterns for identity verification. These methods are increasingly being used as they are difficult to fake and do not require the user to remember anything.

Conclusion

Despite technological evolutions spawning the availability of increasingly diverse authentication solutions, password authentication remains a fundamental part of securing user identities in the digital realm. The familiarity and ease of implementation will ensure that passwords aren’t going to be obsolete in our immediate future, however, the longevity of passwords will be put to the test by new and exciting passwordless innovations.

At Kelvin Zero, we are going beyond passwords, creating next-gen authentication and trust solutions to help secure your organization. With Multi-Pass, we’ve reimagined authentication, combining smart card technology and offline biometrics and cryptography into one global passwordless solution for your employees and customers.

Contact us today and set up a demo to learn more about Multi-Pass and how Kelvin Zero can help you reduce your attack surface and protect your organization against credential-based attacks.

Thierry Gagnon

Thierry is co-founder and CTO of Kelvin Zero and one of the world's foremost experts on secure information sharing networks. With expertise in the development of automated systems, cyber knowledge bases, malware analysis & reverse engineering, and cyber threat intelligence, we are grateful to...