Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords” /cc @Wired

I’ve read Mat’s article and I know where he’s coming from.

Mat’s article does make some sense – and his story is near tragic:

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

…but he suggests a course of action – disposing of password security – borne out of fear rather than reason; and unfortunately passwords are architecturally very sound.

I’ll recap some of those architectural principles in a moment.

But look at the arguments that Mat makes about passwords:

Requiring you to remember a 256-character hexadecimal password might keep your data safe, but you’re no more likely to get into your account than anyone else. Better security is easy if you’re willing to greatly inconvenience users, but that’s not a workable compromise.

This risk is solvable using password management software. Won’t work for 100% of situations but can be made to work for better than 95% of them.

He then makes a weird argument for privacy from the following thought experiment.

Imagine a miracle safe for your bedroom: It doesn’t need a key or a password. That’s because security techs are in the room, watching it 24/7, and they unlock the safe whenever they see that it’s you. Not exactly ideal. Without privacy [from the security techs] we could have perfect security, but no one would accept a system like that.

Well, actually, it is ideal, and also viable so long as you get away from his strawman argument; I discuss the desirability of being able to demonstrate who you are rather than use identity proxies (such as driving licenses, passwords or digital certificates) in Hankering For A World Without “Identity” or “Federation”.

But what he’s trying to say is that having systems somehow be smart enough to know it’s you is not really acceptable from a privacy perspective, and I can agree with that for some perspectives in authentication.

There’s a long diatribe slinging mud at passwords in general – mentioning some upstart software like John the Ripper in process :-) – and pads out the article with stories of people who have suffered.

Then there’s a sidebar called How to Survive the Password Apocalypse which is actually full of really good advice; it’s the sort of stuff that everyone should do even if it contains suggestions like “give bogus answers to security questions” – a topic that British MPs and Tabloids are apt to get exercised about.

Then there’s a complaint that “passwords are hard to remember”, and then there is cybermafia padding and “How One Guy Had His Google 2-Step Authentication Broken”, and then we get down to:

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.

No. Sorry but no. The problem of password security is eminently solvable:

  • don’t let users choose guessable passwords
  • encourage/force users to use password management software
  • protect the hashes on the backend with something decent ie: bcrypt()

…and this needs to happen because the benefits of passwords as a technology are huge:

  1. passwords are easy to deploy
  2. passwords are easy to manage
  3. passwords don’t require identity linkage between silos – so your Google username can be different from your Skype username, can be different from your SecretFetishPornSite.com username
  4. passwords are scalable – you can use as many different ones as you like
  5. passwords can be varied between silos so that loss of one does not impact the others
  6. passwords don’t (necessarily) expire
  7. passwords are the purest form of authentication via ‘something you know’, and thus ideal for the network or “cyber” environment.
  8. you don’t need to pay an intermediary or third-party a surcharge just to get a new password, nor to maintain an old one

…so long as you ameliorate each of the related disbenefits:

  1. passwords are easy to deploy
    which means they’re used everywhere
  2. passwords are easy to manage
    which means they’re managed haphazardly
  3. passwords don’t require identity linkage between silos
    but people are generally too lazy to maintain more than one or two identities
  4. passwords are scalable
    but people are generally too lazy to remember more than one or two passwords
  5. passwords can be varied between silo
    but people are generally … see above
  6. passwords don’t expire
    but most of them are guessable in a matter of minutes or hours
  7. passwords are ‘something you know’
    and so anyone who knows your password is indistinguishable from you

…which amelioration the above “use password managers to protect decent passwords, and keep them well” solution largely does.

So, why? Why do I insist we cling on to passwords in the face of Mat’s suggestion that:

Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.

…which all sounds terribly secure?

The reason to cling onto passwords is that they are a distributed, non-hierarchical technology.

In short: there’s a lot less that can go wrong when the identities are discrete and thinly spread.

So, sorry Mat. You’re wrong all the way up to this point – but then you go and add:

The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.

We need to make that trade-off, and eventually we will. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.

That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.

…and I’m afraid that if I were to enumerate the fearmongering number of ways that you’re wrong here, I would not finish this posting tonight.

Perhaps I’ll come back to it.

In the meantime, please reach out to Privacy International.

10 thoughts on “Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords” /cc @Wired

  1. Dave Tong

    I don’t see how password management software can work in a world where I have UNIX computers at work, Windows PCs at home, Apple iPhone in my pocket, etc. I’d be interested to hear your suggestions.

    My personal solution is to have a two-part password; a static root and a site-specific variable, so if an account is compromised then at least there’s a chance that not all are.

    I’m sick of sites that put restrictions on passwords. My root is complex and thus often falls foul of restrictions – there’s one financial institution I have to deal with that won’t allow punctuation; others disallow certain characters such as % * or space, or swearwords, which suggests to me that they are stored in plain-text somewhere rather than hashed.

    I’d like to see some kind of certification body a la ISO9000 that sites displayed to show that they adhere to an agreed set of password standards – including no limits on character set, no storage in plain text, etc.

    Reply
    1. alecm Post author

      Well, I can speak to my solution.

      I paid money to 1password for apps – they have got OSX, Windows, iOS and Android clients sorted, and use Dropbox behind the scenes for synchronisation. I believe they have a pure Javascript client, too, which provides some manner of weird-ass-Linux capability but I must admit to never trying it.

      In the instance I need to log into a Unix box and am not on my Mac, I haul out my phone and type it manually. Not much worse than a DES-Gold card.

      This works well for me. So much so that I’ve not investigated alternatives.

      Does that help?

      Reply
    2. alecm Post author

      oh, and the restrictions against % and other punctuation are often due to a WAF or equivalent stupidity trying to prevent SQL-injection. Means that they don’t know how to handle user input cleanly, or have written off any attempt to do so.

      Reply
  2. Dave Tong

    Yes, I read the other post and agree with most of it, though I’d modify rule 5 to say
    If you allow people to use a password of less than 12 characters __without advising them against it__, it’s a bug.

    Reply
  3. Dave Walker

    Also, for people on the move or otherwise subject to unexpected threats, passwords are without a doubt the best way to covertly signal duress. See my “old chestnut” posting on this at https://blogs.oracle.com/davew/entry/on_duress .

    I don’t know whether anyone has implemented this yet, though; it’s a shame if they haven’t.

    Reply
  4. Robbie Mackay

    I use Lastpass as a password manager because:
    1. it handles linux, OSC and android.. pretty sure windows was covered too.
    2. It supports yubikey for 2 factor auth.

    I largely use it through browser plugins (which I think is how they cover all OSes easily, chrome plugin works everywhere)

    We use Keepassx for shared work passwords – which has support for multiple OSes too, but no remote storage built in. Also: opensource and free.

    In short: there are good password management options out there.

    Reply
  5. alvaro del hoyo

    David Waler,

    In 2001 at Mobipay international we did have a duress secondary pin for mobile payments solution (just for direct threat to oneself)

    Never came to market, but guess being able to link up to 10 debit/credit cards to your mobile phone and having to remember 2 pins for each one was condemned to suffer on human factor :-)

    That company was leveraging on payment means brands and becoming needed interface between financial entities and mobile operators. Well, i guess this was its biggest mistake and reason why company is discontinued (dont get me wrong, leveraging on payment means brands, not because of defining a pin duress alarm) :-)

    Reply
  6. Pingback: Google Declares War on the Password # Dear @Wired, no, sorry, again you’re wrong about #password #security | dropsafe

Leave a Reply