ADespite the evolution of biometric, multifactor and other forms of authentication, password authentication remains universal in physical and cyber security applications. While some proclaim it’s time to end the use of passwords for authentication, instead we should be focusing on how to improve them.
The Problems with Passwords
In the early 1960’s, MIT put passwords into use. They comprised their passwords of letters, numbers, and punctuation from the American Standard Code for Information Interchange (ASCII) character encoding, which has 95 printable characters (including the space) and 33 teletype control characters. After more than half a century, ASCII remains the dominant source for password characters worldwide.
The essential weakness of conventional passwords stems from their limited number of permitted characters. In the past, most passwords were limited to a subset of the 95 printable ASCII characters. However, no valid technical reason remains today for preventing a space or any other special character in a password, although these counterproductive restrictions continue.
The Power of Modern Hackers
Today’s highly optimized password cracking tools reveal passwords easily. The most productive approach is to load these tools with a dictionary of tens of millions of previously appropriated passwords, sorted according to the most prevalent. If the dictionary attack approach fails, the hacker can still attempt to use every combination of allowed characters in a brute force attack that, through trial and error, identifies passwords.
Today’s hackers have access to technology that can test up to 100 billion passwords per second. Prohibiting spaces and ten other punctuation characters in passwords makes it easier for hackers to crack them. Since there are, at most, 84 characters you can use in a password, excluding eleven characters results in 100 trillion fewer 10-character password combinations for attackers to guess.
The Unicode Standard Solution
Although the use of passwords has barely changed from their 1960s ASCII form, a solution has been available since the early 1990s: the Unicode Standard, which aims to define all written scripts, modern and ancient, including symbols and emojis.
Adding just one non-ASCII character to a password can make brute force and dictionary attacks unfeasible, as a Unicode-enabled system would permit any of thousands of symbols and emojis to be used, further strengthening passwords tremendously. Permitting unrestricted use of Unicode in passwords is the next important step to leveling the playing field against password hackers.
Physical Security Needed
Although password protection and cybersecurity is critical to keeping data safe, physical security should not be left behind. It provides protection not only to employees, staff, and your office, but it protects the physical storage of your data. Learn more about physical security, data protection, and visitor management solution by contacting a Veristream security expert at 888-718-0807.