5.2 Who Is Going to Be Affected?

3.4 What Is the Worst That Can Happen?

Hence in order for a password to be considered strong, as suggested by Microsoft, it should contain at least 12 characters, be complex (i.e. contain alphanumeric characters, numbers, symbols, and non-dictionary words), be different from other passwords the user used in the past, and be difficult for others to guess [152]. All these conditions along with the high number of different accounts have affected users who find it difficult to memorise (Strength of Memorized Secrets [173]) and manage all these passwords. To solve this password overload problem, users have come up with solutions that directly affect the security of their accounts and the privacy of their data; they either simplify their passwords to be easy to remember, reuse the same password on different services, or store their passwords in a “secure” place, for example on paper or using a password manager. But even if the password is strong and the user handles it appropriately, the service providers also have to keep their end of the deal and store their users’ passwords securely. NIST provides suggestions on how to properly store passwords on databases (Memorized Secret Verifiers [173]), though many popular open source server software do not offer adequate security by default [170] and a number of data breaches exposed improperly stored passwords [113].

Several methods have been introduced to enhance the robustness of the authentication process, especially on critical systems and applications; with the best known being two-factor authentication (2FA), also recommended by ENISA to improve password security [77] [5]. During a 2FA method, the user has to prove his/her identity based on two factors rather than one. For instance, to access a web banking account, apart from providing the username and password, the user is also asked to provide a one-time password (OTP) that is received via a Short Message Service (SMS) in order to be authenticated. Although this method improves the security of the authentication process, it lacks user-friendliness [148], which is an important factor in the authentication procedure, and can also be exploited through SIM swap attacks (where the adversary manages to clone the SIM card of the victim, allowing him to steal the SMS) or by tricking the user into revealing the OTP code through a fake call, website or email (phishing).