Why we need real cryptography instead of passwords

Yesterday, Ars Technica published an in-depth look at the techniques hackers used to crack passwords. Titled Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”, it describes how 3 hackers were able to successfully able to crack over 90% of a set of 16,000 hashed passwords — in less than 20 hours.

When you consider that in the last year, tens of millions of passwords have been leaked, you might start to get worried. And, honestly, you should be.

Passwords were never built for our modern internet. Invented more than 50 years ago, they were originally created to protect the files of users on timeshared, non-networked computers — a pretty different ballgame than the hugely connected internet we have today. And yet, 50 years later, we’re now using this archaic technology to protect our most valuable assets (our money, our privacy, our relationships). It’s stupid and irresponsible.

An alternative

If you’re a developer, you probably already know that there is a much more secure way we should be authenticating: real cryptography. To use a specific example, let’s focus on RSA public-key cryptography. The basic idea of public-key cryptography is simple: a user has two keys, we’ll can them Public and Private. Private can create signatures and Public can verify that they came from Private; however, Public cannot generate valid signatures of its own. In this way, Public can be distributed “publicly” and verify whoever holds Private.

It’s easy to take this concept and apply it to user authentication. In fact, if you’re a developer, you’re almost certainly using it every day when you SSH into servers. The idea is simple: the website you want to log into holds a user’s Public, the user holds their Private and whenever they want to sign in, they generate a signature, the website verifies it, and they are logged in.

Let’s crack RSA keys!

At this point, you may be asking why the internet is not already relying on public-key cryptography for logging into websites. Perhaps, you think, it’s because they are just as insecure as passwords (or maybe more insecure)!

Let’s see how long it would take to crack a 2048-bit (the length of Public and Private, industry standard) using a brute force method similar to the one the Ars Technica hackers employed.

~6.44245094e15 years

Yes, a little over 6.4 quadrillion years.

When you consider that the world is just over 13 billion years old, that number starts to come into focus. If you need a little more focus, here’s a helpful video (it focuses on SSL certificates, which rely on the same RSA keys we’re discussing).

That’s a long, long time.

How can I use the secure stuff?

Using real cryptography isn’t just for geeks anymore. With Clef, we let your smartphone do all of the hard work and making logging in even easier than using a password. And Clef uses 2048-bit RSA keys — you know what that means.

Forget passwords. Get Clef.

Want to continue the conversation? Join the discussion on Hacker News.

Thanks to Digicert and Ars Technica for making this blog post even easier to write.

Clef Icon

Get to know Clef

Clef allows you to securely log in to your favorite websites and services without needing a password. It’s two-factor authentication from the future. Learn more at getclef.com.

The Clef team's perspective on community, design, business, and engineering delivered straight to your inbox.