Password Security Evolution: A Modern Perspective

Ahmed
7 min readAug 31, 2023

Table of Contents:

1- Introduction

2- The Folly of Forced Password Changes

3- A Tiered Approach to Password Security

4- Conclusion

1- Introduction

According to many, the first Thursday of May annually marks World Password Day. As cryptic as that may sound, the day exists, and this year it falls on May 6th.

Before we go deep into the heart of this discussion — password security — it’s crucial to take a walk down memory lane to understand its evolution. Once upon a time, during the era most millennials now refer to as “the last century,” setting a password was a straightforward affair.

Mainframe systems of the time could only process a password with a maximum of eight characters, with no case sensitivity. Even more unsettling was the fact that these passwords were stored in an unencrypted format, easily accessible to anyone with system administrative privileges, whether well-intentioned or malicious. With technological advances came more complex hashing algorithms, such as:

MD5 (Message Digest Algorithm 5): It’s a widely utilized cryptographic hash function that generates a 128-bit hash value. It’s commonly employed to verify file integrity and serve as a checksum.

LM (LAN Manager): It is an older authentication protocol employed in Microsoft Windows OS to create network connections. Its security is compromised due to identified vulnerabilities.

NTLM (New Technology LAN Manager): It is an upgraded edition of the LAN Manager authentication mechanism. It’s utilized for authentication in Windows networks and offers better security than the original LM protocol.

SHA-1 (Secure Hash Algorithm 1): It’s a cryptographic hash function that produces a 160-bit hash value. Although once widely used, its vulnerabilities have been exposed, making it unsuitable for secure applications.

LM and NTLM are authentication protocols, while MD5 and SHA-1 are cryptographic hash functions utilized for security purposes, like verifying data integrity and storing passwords. It’s crucial to acknowledge that MD5 and SHA-1 are no longer secure due to their vulnerabilities. While these improved upon the prior limitations and added an extra layer of security, their speed also provided a window of opportunity for cyber -attacker.

Figure 1: SSH Brute Force Password (Hacknos.com)

Over time, it was discovered that enhancing the array of characters used in passwords — from mere alphanumeric combinations to a larger set that included special characters — could deter cybercriminal activities to a significant extent. This led to the notion of “Password Complexity,” which was quickly incorporated into various security policies and guidelines, including the PCI-DSS standards.

Figure 2: PCI-DSS standard twelve requirements (wp.com)

However, the relation between human behavior and computer-generated policies isn’t always a match made in heaven. When humans are asked to choose special characters for their passwords, the likelihood of them selecting less commonly used characters is slim. Instead, they opt for familiar symbols like exclamation marks or hashtags. This is partly because many websites impose restrictions on the types of special characters that can be used, creating a self-reinforcing cycle of suboptimal choices.

2- Password Strength Progression through Time

Understanding the concept of password strength and its transformation over time plays a crucial role in comprehending the continuous struggle between safeguarding digital assets and those attempting unauthorized access. This discussion delves into the shifts in password practices, policies, and technological advancements across different historical periods.

Figure 3: A Password Strength Chart with Six Color-Coded Levels Reflecting Different Strength States (Reddit.com)

Step 1: Early Password Practices

▶ In the initial phases of computing, the approach to password usage was notably elementary. Several systems didn’t even necessitate password input, relying entirely on user trust.

▶ For those systems employing passwords, they frequently opted for simplistic choices, including easily guessable words or phrases.

▶ An examination of early passwords reveals prevalent selections such as “12345,” “password,” or “admin.” These lenient practices exposed systems to vulnerabilities susceptible to basic attacks.

Step 2: Emergence of Password Policies

▶ With the expansion of the digital realm, organizations began recognizing the necessity for heightened security measures.

▶ The introduction of password policies aimed to enforce stringent criteria, encompassing complexity prerequisites, longer password lengths, and periodic password modifications.

▶ During the 1990s, a typical password might have consisted of merely six characters. In contrast, contemporary recommendations advocate for passwords with a minimum of 12 characters, incorporating a blend of letters, numerals, and symbols.

Step 3: Technological Advancements

▶ Significant strides in computing technology have wielded a profound impact on the landscape of password security.

▶ The advent of Graphics Processing Units (GPUs), cloud computing, and specialized hardware expedited the process of password decryption. Statistical analysis underscores the exponential acceleration in password-cracking speeds driven by these advancements.

▶ In the early 2000s, breaking a moderately intricate password might have taken weeks. Conversely, contemporary circumstances enable the cracking of the same password within hours, if not minutes.

Step 4: The Data Breaches Roles

▶ Data breaches have played an instrumental role in molding password security practices.

▶ Prominent security breaches have laid bare the susceptibilities inherent in conventional password practices, compelling the formulation of stricter protocols.

▶ Breach statistics illuminates a noteworthy spike in the adoption of password hashing and salting mechanisms post-major data breaches, with the intent to fortify the safeguarding of user data.

Step 5: Modern Authentication Methods

▶ In recent years, a perceptible shift has transpired towards: Multi-Factor authentication (MFA) and Biometric Authentication Methods.

▶ A comparative evaluation of security incidents occurring both before and after MFA implementation reveals a discernible reduction in successful account breaches.

▶ Biometrics, exemplified by fingerprint or facial recognition technologies, have markedly diminished reliance on traditional passwords, concurrently diminishing the susceptibility to credential theft.

3- The Folly of Forced Password Changes

The concept of mandated password rotations was introduced as a supposed remedy to this problem.

Figure 4: How to manage Passwords using Best Practices (Toolbox.com)

The logic was simple: make users change their passwords frequently, and the window for exploiting those passwords shrinks. Unfortunately, the reality wasn’t so simple. What unfolded was a pattern of predictable and cyclical password choices, such as “Winter2020” followed by “Summer2021,” making the task easier for hackers.

The National Institute of Standards and Technology (NIST) took a step in the right direction in 2020 when it updated its Special Publication 800–63B.

Figure 5: Three Key Elements of the NIST Password Requirements (Enzoic.com)‏

The new standards emphasized password length over complexity and considered other factors like the inclusion of spaces as special characters and periodic password audits. However, the struggle to encourage the selection of robust passwords remains a hurdle in 2023.

3- A Tiered Approach to Password Security

One innovative solution could lie in employing a tiered approach to password requirements. This method, easily applicable in an organization with an Active Directory but more complex for social platforms like Twitter or Facebook, offers users choices tailored to their security needs and convenience:

Tier 1: Minimum of 8 characters

Pros:

a) Easy to remember.

Cons:

a) No VPN access.

b) 4-hour Single Sign-On (SSO) timeout.

c) Quarterly password changes.

Tier 2: Minimum of 12 characters

Pros:

a) VPN access with 8-hour timeout.

b) 48-hour SSO timeout.

c )Biannual password changes.

Tier 3: Minimum of 15 characters

Pros:

a) VPN access with 24-hour timeout.

b) One-week SSO timeout.

c) Annual password changes.

Tier 4: Minimum of 24 characters

Pros:

a) VPN access with 48-hour timeout.

b) Two-week SSO timeout.

c) Password changes only required during status changes.

Cons:

a) Mandatory for all admin and service accounts.

By allowing users to select their tier through a simple ticketing system or custom interface, organizations could see a rapid transition toward more secure password practices within a short span of three months.

4- Conclusion

In conclusion, the aim should be to balance user convenience and security through the power of choice. With such an approach, companies not only foster better security culture but also have the ability to easily identify those who might require additional training or resources to make safer password decisions.

The horizon of password security teems with both promising prospects and impending challenges. Emerging technologies, notably quantum computing, cast a looming shadow over existing encryption methods. A comparative assessment examining the computational prowess demanded by quantum attacks against conventional encryption mechanisms underscores the imperativeness of transitioning towards post-quantum cryptography.

And with that, I submit my thoughts for this year’s World Password Day.

Stay secure.

--

--

Ahmed

Data scientist | Security Researcher | Cloud Specialist | Digital Creator https://mawgoud.medium.com/subscribe