Passwords Are Terrible

I’ve been going through a rash of password resets and changes the last few days, and as such things always do, it set me thinking. If I’m lucky, most of this won’t really be much of a surprise for you. It certainly won’t contribute anything significant to the security world.

My thought is simply that passwords are terrible. I know, I know – not an original thought. Basically, passwords might have been the right trade off between convenience and security a while back. I’m unsure when that stopped being the case, but I’m pretty sure it’s been more than a few years ago. However, we are still using passwords, and we there are a lot of things we do that doesn’t necessarily make our use better. Just as black hats use social engineering to crack systems, security experts should use social engineering and experience design to entice people to do the safest possible thing under the circumstances. Sadly, we are however doing the exact opposite right now.

Let’s take a look at a laundry list of what you should be doing and what you are doing:

  • You should never use the same password in more than one place. REALITY: people basically always reuse passwords or password variants on different services. The proliferation of places that require passwords and login means we either have the choice of having more than 50 passwords, or reuse. But if you reuse passwords, within each set of services with the same password, the service with the most sensitive material, will be protected by the least secure service. So as long as you use the same password, you have to think about all the services you’ve used that password on to have a realistic idea about how protected that password is.
  • You should never use words, numbers from your life or names from your life in your password – scrambled or not. REALITY: basically everyone does one of these things – most wifi-network passwords I know are combinations of the names of the children in the family. In order to remember passwords, we usually base them on existing words and then scramble them with a few letters switched out for digits or added a few symbols. This practice is basically completely useless, unless your password is actually a pass phrase. And if your password is in reality a pass phrase you don’t gain much by scrambling the words. So for a really secure password, use a pass phrase, but that the words in the phrase are randomly selected.
  • Security policies usually require you to change passwords every 2 or 3 months. REALITY: This means you are training people to choose insecure passwords. If you have to change passwords often you have a few choices – you can write it down or you can use variations on the same password. Note that remembering a new strong password every 2 months is not an option – people will simply not do it. Most people I know uses a sequence of numbers added to a base password, and they change these numbers every time they are forced to change the password. All of these things come together to defeat the purpose of the security policy. It is security theatre, simple and pure. If your company has a policy that requires you to change passwords like this, that is basically guaranteed to be a company with no real security.

What is the solution? I have decided to base my life around 1Password. For most purposes, the combination of the password generator, the browser integration, and the syncing between different devices means that it’s mostly hassle-free to have really strong passwords in all places I want it. I think 1Password is really good at what it does, but it’s still a stop-gap measure. The basic idea of using passwords for authentication is an idea that should be relegated to history. We need a better alternative. We need something that is more secure and less brittle than passwords. But we also need something that is more convenient than two-factor authentication. For most of us that login to services all the time, two-factor is just too slow – unless we get to a point where we have a few central authentication providers with roaming authentication.

Is there a better alternative? HTTP has included support for TLS Client Certificates for a long time now, and in theory it provides all the things we would want. In practice, it turns out to be inconvenient for people to use, expiration and other aspects of certificates complicates and frustrates things.

I guess what I would want is a few different things. The first would be to simply make it possible to have my browser automatically sign a challenge and send it back, instead of putting in a password in the login box. That would require a little support from the browser, but could potentially be as easy to use as passwords.

Another thing that could make this possible is if 1Password had support for private keys as well as passwords. This would mean syncing between devices would become substantially easier. Someone would have to think up a simple protocol for making it possible to use this system instead of passwords on a web page. This is a bit of a catch-22, since you need support from the browser or extension for it to be worth putting in to your service. I kinda wish Google would have done something like this as the default for Google Accounts, instead of going all the way to two-factor.

In summary, I think we are ready for something better than passwords. I would love if we could come together and figure out something with better usability and security than passwords so we can finally get rid of this scourge.

4 Comments, Comment or Ping

  1. gasche

    One angle of attack that you might not have considered: why do we need so much passwords in the first place? Do I really need to create an account to post comments on this website/forum? Do I really need to create a password (or have one generated for me) to subscribe to this mailing-list? Isn’t some non-sensitive piece of information, such as my email address, sufficient to use those functionalities?

    I think we should think more about having authentification-less services that can let me do what I want without having to *know* me or force me to produce some sensitive piece of information. Instead of waiting for the new security mechanism, in a lot of case we should think of which feature to let go to be able to *get rid* of a security mechanism.

    August 20th, 2012

  2. Mats Henricson

    Thinking long term, I have envisioned a hardware/wetware combination, starting with perhaps a ring, which would hold my master key-pair, and a radio, and it unlocks all hardware when I am present. It would have a timeout of less than a minute, so if you leave your hardware for lunch, it locks down. It would be the device that would unlock 1Password, really, I assume.

    Next step would make that hardware device into wetware, I envision something you’d embed in your body, which can’t be removed and still work, for example a device that only works if embedded in blood with your DNA. Well, that can be hacked, as you can envision, but someone tries to hack it out of your body, then you could gland a hormone that would zap the device altogether.

    Now, what happens if you have to zap your hardware/wetware device? How would you get a new one? I envision a master key-pair, which is the root for the one you are just using, which can issue a new work key-pair.

    Now, the question is, why would someone steal your work key-pair, when they could just hit you with a wrench till you give them your master key-pair? Well, there’s always the case that in some instances you really DO want to give them your master key-pair, such as if they have kidnapped your children. In other cases we could envision a system with a trusted central authority which could hold them for you. I could perhaps trust EFF, for example. Another possibility, perhaps, is some modified rubber-hose cryptology solution, where you could hand over a phoney master key-pair as the real one, and the people holding the wrench can’t easily tell that the phoney one is not the real one.

    Finally (yes, I know this is out on a limb, far far away from the original question), you could possibly combine this with a system that could only create a new work key-pair through multi-signatures, as we will soon have in Bitcoin. That way stuff can’t be released unless it is cryptographically signed by several parties.

    Good to see you actively blogging again!

    August 20th, 2012

  3. Jillian C. York

    “I could perhaps trust EFF, for example”

    Could I just say that that warms my heart?

    But anyway, real reasons for commenting:

    a) Any reason for 1password over keepassX or others?
    b) Someone once gave me a really good tip for creating memorable passphrases. I’m willing to share it only because I don’t actually use it, and I’m fairly certain that it’s both a good idea and pretty secure:

    A combination of the name of someone you slept with, the date on which that occurred, and the location.

    May 16th, 2013

  4. Jillian,

    When I decided to go for 1Password I evaluated the alternatives and found that 1Password had more features that matched what I wanted – including the nice syncing with all my iDevices and support for other data than just passwords (I have my credit cards, SSNs, passport numbers and all kinds of other stuff in 1Password).

    In terms of your advice on memorable pass phrases: there are two problems with it. First, if someone breaks the password on _one_ site (where someone has a very unsafe hashing for example) and they figure out the pattern, it becomes very easy to try all combinations of names, dates and locations – if we assume number of possible names is 100k and locations is 100k – and the number of possible dates arbitrarily constrained to 40 years, you end up with an entropy of 47bits, which is not fantastic at all – the recommended number should absolutely be over 60bits.

    The other problem happens if you at some point have to give the pass phrase to someone else. Potentially embarrassing in some settings.

    May 17th, 2013

Reply to “Passwords Are Terrible”