Almost every web application requires some kind of authorization. Typically, this would be a username/password combination, where the user is required to type their full password. Is this solution convenient? Probably yes. Is it secure? Not quite.
While there are several forms of password authorization, in this article we will be examining partial passwords.
Partial passwords is a technique which requires the user type only a few randomly selected characters from a predefined password. Randomness and quantity of selected characters is determined both by security policies and password length. There are many different algorithms for selecting this characters, but we won’t be covering them in this article.
Partial passwords have emerged as a viable solution in the online banking sector, alongside two-factor authentication (for example, the use of user-defined images) and the use of tokens (see below Figure).
A bit of Statistics
Typical password policies require a minimum of 8 characters. Online banking systems that employ partial passwords typically require 4-5 characters in order to pass authentication, so it is quite easy to write a formula for determining the number of possible combinations.
If we plug in 8 characters-required passwords and 5 characters-asked requirements into our formula, we end up with 56 possible combinations. Assuming that after n/2+1 tries every character in the password has been typed, it appears that the password can be determined after 28 attempts at most. The minimum value is of course, 2.
By doubling the number of required characters to 16, and keeping the number of asked characters at 5, we get a much better result – 4368 combinations, and therefore at most 2184 attempts at most before the password is revealed. But still, in the worst-case scenario, there are just 4 attempts needed to determine the password.
Even though the number of combinations makes it seem otherwise, the combination of 16 required/5 asked is still not as safe as you would hope.
Here n is the number of characters-required and k is the number of characters-asked. This chart shows why it is better to choose values from the mid-range than at either extremity. As you can see, the sweet spot for k is n/2, or in simpler terms, 50% of the number of characters required.
Pros and Cons
On one hand, the partial passwords technique seems to be quite useful with many advantages. It is easy to implement, requiring no additional devices, special passwords, or certificates – this is a big plus for people who are tied to their budget.
It is also a great solution for accessing data from unsecured locations, such as a public computer system – since only parts of the password are revealed, it is unlikely that anyone sniffing traffic – or even looking over the users’ shoulder – will be able to use the data for illicit access.
It is also a great solution for accessing data from unsecured locations, such as a public computer system – since only parts of the password are revealed, it is unlikely that anyone sniffing traffic – or even looking over the users’ shoulder – will be able to use the data for illicit access.
It’s also great at protecting users’ passwords from being stolen by phishing pages (fake banking pages), or malware (key logging, screenshotting, or other types of malicious software). Also, it allows web application engineers to force the user not to use the ‘auto complete’ function present in many browsers. Of course, by default this functionality is disabled for password fields in all browsers, but it is easily activated.
On the other hand, most users believe partial passwords to be an annoyance; not only do they have to remember their password, but they then have to count each character to type the correct sequence. Of course, when you combine the ideal of 16 characters-required with the concept that the user has to remember this password, you can assume they have written it down on a sticky note and stuck it to their monitor or the underside of their keyboard, or even typed it into their mobile phones to make counting easier.
From a technical point of view, partial passwords can be as dangerous as full passwords. Since most users access their accounts from the same system on a regular basis, if that system is infected with malware, over time they will give up their entire password. As I mentioned earlier, it only takes a minimum of 2 attempts to determine an 8 characters-required/5 characters-asked partial password.
Moreover, it is easy to notice that even if the character selection algorithm is trying to avoid repeating the same combination, if the password is too short, it won’t take long before a repeat sequence is used, and by that time a keylogger will have acquired every character in the password.
Finally, shoulder-surfing (when people are looking over your shoulder), needs to be re-evaluated. Let’s assume people type at an average 180 characters per minute, or 3 characters per second. It’s a conservative estimate, but
let’s go with it. In order to enter specific characters of their password, the user must slow their input speed in order to count as they type, making it much easier for someone to watch their keystrokes.
Conclusion
As I’ve demonstrated above, partial passwords have many advantages, but one thing is quite certain: partial passwords have to be used carefully. The technique is interesting, but in the end it does not protect people enough – they are still at risk of key loggers and fake sites. If you are considering implementation of a partial passwords system, there are three rules to take into account:
• reliable password security policies must still be enforced, including password complexity and length.
• a strong randomization algorithm needs to be employed for the characters-asked step, which would provide the least possible repetition of character combinations,
• remember that partial passwords do not offer any substantial additional security to users who are regularly accessing the system from their personal computer; they are still at risk for malware infection, and therefore alternative solutions should be offered to them which address this possibility.
Failure to take these points into account could expose your system to more threats and danger than other techniques.
[Sources: IT Security Magazine]
Sub Item 5.1b
0 comments