Password Security, Forevermore
Passwords suck. But there will never be a better non-niche solution.
Published 17:07, 10 January 11
There ought to be a word - there probably is a word - to describe concepts and ideas which work great in theory, have major flaws in practice, and for which either there exists no viable alternative, or any of the alternatives that have been tried have proven much worse.
This word would describe, for instance democratic government, or value added tax, or any single form of voting. This word would equally well describe password security.
Passwords have been in the news a lot over the past two months; probably the biggest story was the Gawker Media break - a popular website had 1.3 million usernames stolen, and with those usernames the encrypted form of their passwords.
The reason that this is a bad thing is because albeit the passwords were "encrypted", it is human nature for people to choose/use passwords such as 123456, PORSCHE911, iloveyou, and other simple, trite, mechanically-guessable tropes. Software to automate this sort of password-guessing has been available for 30+ years in differing forms - in fact here's a complete example that will still work on some sufficiently old Unix systems:
perl -nle 'setpwent;crypt($_,$c)eq$c&&print"$u=$_"while($u,$c)=getpwent' < /usr/dict/words
It's not a very big bit of code, is it? Very simple code, but horrifyingly effective, especially if you feed it the appropriate dictionary.
However the actual problem of password security is very complex.
I'll start with the upside: my fellow security geeks will deride me for writing this, but passwords are really, really great - they are an utterly fantastic security solution, and not only if you're a developer:
- passwords are easy to deploy
- passwords are easy to manage
- passwords don't require identity linkage between silos - so your Google username can be different from your Skype username, can be different from your MySecretFetishPornSite.com username
- passwords are scalable - you can use as many different ones as you like
- passwords can be varied between silos so that loss of one does not impact the others
- passwords don't (necessarily) expire
- you don't need to pay anyone a surcharge to get a new password, nor to maintain an old one
- passwords are the purest form of authentication via 'something you know', and thus ideal for the network or "cyber" environment.
The problem with password security is that the disbenefits are exactly the same as the benefits:
- passwords are easy to deploy - which means they're used everywhere
- passwords are easy to manage - which means they're managed haphazardly
- passwords don't require identity linkage between silos - but people are generally too lazy to maintain more than one or two identities
- passwords are scalable - but people are generally too lazy to remember more than one or two passwords
- passwords can be varied between silo - but people are generally ... see above
- passwords don't expire - but most of them are guessable in a matter of minutes or hours
- passwords are 'something you know' - and so anyone who knows your password is indistinguishable from you
And since you don't need to pay to get a new password, nor to maintain an old one - the password paradigm is forever going to be a roadblock in the path of those who wish to become rich by issuing certificates or identities that will permit you to transact on the web - or those who desire central control of such a resource. This may be a benefit or disbenefit, depending upon your perspective.
So those are my premises, and here is my belief: I don't believe that this problem is solvable.
I've been doing horrible things to password security for more than 20 years, and the same issues reoccur. This whole article was sparked by a posting at the Cambridge University Light Blue Touchpaper blog - which I recommend you check out at least weekly - where Joseph Bonneau documents the mishandling of UTF-8 (and larger) UNICODE characters in the Unix crypt() library call; I was doing precisely the same reduction-in-password-space math when I first ran into UTF-8 back in the mid-90s, and I'll bet good beer that someone had similar text-encoding and bit-stripping issues back in the days of ASCII versus EBCDIC versus Baudot.
There's nothing actually wrong with the password paradigm - though the password anti-pattern of linking services via password is another matter entirely. The "something you know" aspect of password authentication makes it the simplest, purest and in some ways most ideal of authentication mechanisms; but without being somehow self-defeating there is no good way to coerce people into using passwords safely, and "user education" is widely dismissed as a waste of money.
So we live at an impasse.
Churchill noted that democracy had been called the worst form of government except all those other forms that have been tried from time to time; similarly it is my suspicion is that the doom of the security industry is to forever be railing against the enormity of password security, without there ever being a replacement which is not much, much worse.