An IT manager’s guide to passwords

Michael Dear explains everything IT Managers and users alike need to know about passwords, including the emerging role of passkeys

Computer security isn’t really about computers: it’s about people and processes. But there’s another P word that everyone will think of, and that’s passwords. In this article, following on from last month’s guide to ransomware, I’ll explain everything you need to know about passwords. Why we need them, how to use them like a pro, and why there’s something new coming that could replace passwords altogether.

But I’ll start off with two A words: authorisation and authentication. They look the same, many people even use them as synonyms for each other, but they are very different. I’ve spent many hours of my life having this fact drilled into me.

Before we delve into this world, I need to explain two more terms. First, is the directory system. In this context, a directory is a system that holds security information — about a device, a service or a person. 

Second, hash. This uses a mathematical process to reduce a password to a known length and is designed to be one-way. So the password can be made into a hash, but a hash can’t be made into a password.

A good directory system doesn’t hold a copy of the password but rather its hash.

Authentication vs authorisation

So, authentication. This term is about proving who you are. In the real world, this could be when entering a country, you produce a document (passport for example) that allows the reader to see the document and you and check that they match and that you are who you say you are. 

In the computer world, you are given a username and password. The password is secret so only you should be able to produce the password.

Authorisation is slightly different. Think of authorisation as a key. You’ve got into a building and, after proving who you are, the receptionist gives you a bunch of keys to the building. In this building all the doors are locked, so you can only enter a room if you have the key to the door.  You no longer need to prove who you are: if you have the key to the door then you have the right to be in the room. This is what happens when you log into a computer system.

You type a username and password, which is passed to the directory system. The directory system performs the hash on the password and then compares the username and password given to the one stored in its database. If they match, access is allowed and the directory system returns a token or set of tokens to your computer, which then gives access to the system the directory controls. When you move around the system, your computer ‘shows’ the tokens to the item you are trying to access.

The problem with passwords

The problem with this comes from the security model relying on this username and secret password. The username is normally an email address that is relatively easy to get hold of, so the entire system is now reliant on this password. And people are generally lazy and not good at thinking up and remembering strong passwords.

One solution to that problem is to use password managers. In short, these are apps that make random passwords and store them. You use a single difficult-to-remember password to access this program and then the app fills in the login details to your sites for you. My favourite, for the record, is Bitwarden.

But not everyone uses password managers, which is why I had to explain what they are above. This is understandable. They can be a pain to both set up and to use. 

In response to this, a new layer was added to the password system: two factor authentication (2FA). Also referred to as multi-factor authentication (MFA). The multi-factor part refers to the fact that we use two or more of the below to authenticate someone.

  1. Something a user has, usually a hardware token in the form of a key, card or phone
  2. Something a user knows, such as a PIN or password
  3. Something a user is, such as fingerprints and other biometrics 

Multi-factor authentication sounds complicated, but we use these in real life all the time. For example, if you get money out of an ATM then you use a bank card and a PIN (something you have, something you know).

As you can imagine, if we were to develop a system to log into systems from scratch, we would not start from here. We have clumsily added security layers over a password to protect the original password, either because that password is too weak (or it’s reused, or stolen, or both).

A passwordless future

However, it isn’t all doom and gloom. Something is coming that might be the saviour of the password. It’s called passwordless and uses something called a passkey.

The idea is that rather than use passwords, you will switch to using passkeys. These aren’t something you need to remember. Passkeys work by having a program that is trusted to hold something called a certificate. 

When a passkey is created, two certificates are created that are related to each other. This is the basis of public key cryptography and beyond the scope of this article. What matters is that it allows the trusted program (or device) to hold your certificate to prove who you are to the site, because the site has the related certificate. They match and so you are authenticated. 

Once this method is established, you switch off password access to the system and only allow passkey access. If you don’t have the passkey you don’t get access.

Passkeys in action

Apple, Microsoft and Google all have adopted this technology and will be rolling it out soon, on their devices. Sadly it looks like the different devices won’t talk to other manufacturers’ devices and share the passkeys. 

Let’s give a quick example. You visit site X and you log in as usual with a password. On the site is an option to create a passkey, which you accept and save to your device; let’s say this is an iPhone. 

The password access is then switched off. If you now want to visit the same site on your Windows machine, the passkey isn’t available, and you’re locked out. So, either you still need to leave passwords as a means to get access or only use the iPhone. The former means you ask what the point was; the latter means you can’t use the device you choose. 

I was pretty despondent when I found this out, as it seemed that a better solution was about to be made useless by a corporate pi**ing contest. This isn’t the first time such a thing has happened, and it won’t be the last time either.

However, I have recently heard that Bitwarden is going to support passkeys in the next couple of months.

This gives me the thing that was missing because Bitwarden runs on most devices and synchronises between all the devices as well. Put a passkey in Bitwarden on one device and it will be available on all the others as well. After all, a passkey is just a binary blob of a file that could even be displayed in a QR code. This could be the saviour of passkeys and allow the masses to start using it.

The password is dead, long live the passkey. Hopefully. Well, probably. Okay, it’s true: passwords will never go away, but anything that makes more people more secure is fine by me.

I will finish this month with a link to a game. The Password Game. Maybe one day it will be consigned to history.

michael dear
Michael Dear

Michael has worked for more than 20 years running IT departments, mainly for small to medium insurance firms. His primary interest is focused on security and compliance.