GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

By Igor Stukanov

We all rely on passwords. For better or worse, we will continue to use passwords to access our computing devices and digital services for years to come.

Related: The coming of password-less access

Passwords were static to begin with. They have since been modified in two directions: biometrics and dynamic passwords.

Here is an overview of the passwords we’re now using – and their respective security limitations:

Static passwords. This traditional form consists of letters, numerals and symbols. It is possible to calculate the number of all possible combinations, or NAPC, of any static password. Therefore, it is theoretically possible to guess the correct combination of any static password from a single attempt, though the probability of success is small.

The larger point is that any static password can be cracked by the brute force method. With fast advancements in computer technology, it has become possible to crack static passwords using, in essence, brute force. This has led to two branches of modifications: biometrics and dynamic passwords.

Biometrics. The equivalent of a password can now be derived from our physical attributes such as fingerprints, the face, voice tracks, or the iris of the eye. However, the digital representation of biometric data is nothing more than a complex static password.

Once this biometric data is compromised, there is only a limited number of options to change it. We only have two eyes, one face, and ten fingers. Therefore, there are very few possibilities for modifications and/or constructive evolutions.

Biometrics should be used as user names, not passwords, because biometrics data uniquely identify each person.

Dynamic passwords. This refers to the use sequences of static passwords, where each password in this sequence is active only during a specific time interval. In other words, dynamic passwords are changeable static passwords.


Dynamic passwords need to be securely managed. Online and offline password managers come into play here. However, password managers introduce the problem of risk concentration, or putting all of one’s eggs in a single basket.

Password managers store passwords in an encrypted file called a vault, which is a target for attackers. Attackers can use the brute force method to crack this vault. Every year, researchers find weaknesses in such password managers.

Dynamical passwords. This refers to parametric, dynamic, recoverable, generated-on demand, pseudo-random passwords that are not stored in an electronic or paper form.

The most important property of dynamical passwords, or DPs, is that they do not require storage on electronic devices or paper. They are generated on-demand when users need them.

It is not possible to find a black cat in a black room if there are no cats in that room. For this reason, dynamical passwords are more secure than dynamic passwords stored in a password manager.

When we sign up for an online account or request resetting a password, we usually receive a new password via e-mail. However, if an attacker is able to intercept and read this e-mail she or he will be able to compromise our account.

To increase the security of our passwords against such a scenario we can use multiple channels, instead of a single channel, to deliver the password.

Multi-channel password delivery systems. This refers to the use multiple communication channels to deliver passwords to users. MCPDS systems significantly increase the security of passwords against attacks on communication channels.

Multi-factor authentication, or MFA, methods belong to this category. A popular form of MFA is where a user gets an online password via e-mail and a security code via an SMS on a mobile phone. Both these pieces of information: the password and the security code, can be considered as two parts of a dynamic password, which is required to get access to the online account.

Artificial intelligence systems. Some big corporations use artificial intelligence systems, or AIS, to identify characteristics that can be used as passwords in authentication procedures. Such systems do not require any effort from users.

AIS automatically collect all relevant information to determine the password and submit it to the verification systems. The authentication procedure is hidden from users.

However, the password information is received from the AIS, not from humans. AIS have no emotions and therefore cannot be attacked by social engineering methods.

But AIS have the same drawbacks as biometrics; AIS algorithms are vulnerable to being compromised.

About the essayist: Igor Stukanov is an inventor and author of several books on “dynamical passwords.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone