I’ve read Mat’s article and I know where he’s coming from.
Mat’s article does make some sense – and his story is near tragic:
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
…but he suggests a course of action – disposing of password security – borne out of fear rather than reason; and unfortunately passwords are architecturally very sound.
I’ll recap some of those architectural principles in a moment.
But look at the arguments that Mat makes about passwords:
Requiring you to remember a 256-character hexadecimal password might keep your data safe, but you’re no more likely to get into your account than anyone else. Better security is easy if you’re willing to greatly inconvenience users, but that’s not a workable compromise.
This risk is solvable using password management software. Won’t work for 100% of situations but can be made to work for better than 95% of them.
He then makes a weird argument for privacy from the following thought experiment.
Imagine a miracle safe for your bedroom: It doesn’t need a key or a password. That’s because security techs are in the room, watching it 24/7, and they unlock the safe whenever they see that it’s you. Not exactly ideal. Without privacy [from the security techs] we could have perfect security, but no one would accept a system like that.
Well, actually, it is ideal, and also viable so long as you get away from his strawman argument; I discuss the desirability of being able to demonstrate who you are rather than use identity proxies (such as driving licenses, passwords or digital certificates) in Hankering For A World Without “Identity” or “Federation”.
But what he’s trying to say is that having systems somehow be smart enough to know it’s you is not really acceptable from a privacy perspective, and I can agree with that for some perspectives in authentication.
There’s a long diatribe slinging mud at passwords in general – mentioning some upstart software like John the Ripper in process 🙂 – and pads out the article with stories of people who have suffered.
Then there’s a sidebar called How to Survive the Password Apocalypse which is actually full of really good advice; it’s the sort of stuff that everyone should do even if it contains suggestions like “give bogus answers to security questions” – a topic that British MPs and Tabloids are apt to get exercised about.
Then there’s a complaint that “passwords are hard to remember”, and then there is cybermafia padding and “How One Guy Had His Google 2-Step Authentication Broken”, and then we get down to:
The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.
No. Sorry but no. The problem of password security is eminently solvable:
- don’t let users choose guessable passwords
- encourage/force users to use password management software
- protect the hashes on the backend with something decent ie: bcrypt()
…and this needs to happen because the benefits of passwords as a technology are huge:
- passwords are easy to deploy
- passwords are easy to manage
- passwords don’t require identity linkage between silos – so your Google username can be different from your Skype username, can be different from your SecretFetishPornSite.com username
- passwords are scalable – you can use as many different ones as you like
- passwords can be varied between silos so that loss of one does not impact the others
- passwords don’t (necessarily) expire
- passwords are the purest form of authentication via ‘something you know’, and thus ideal for the network or “cyber” environment.
- you don’t need to pay an intermediary or third-party a surcharge just to get a new password, nor to maintain an old one
…so long as you ameliorate each of the related disbenefits:
- passwords are easy to deploy
– which means they’re used everywhere
- passwords are easy to manage
– which means they’re managed haphazardly
- passwords don’t require identity linkage between silos
– but people are generally too lazy to maintain more than one or two identities
- passwords are scalable
– but people are generally too lazy to remember more than one or two passwords
- passwords can be varied between silo
– but people are generally … see above
- passwords don’t expire
– but most of them are guessable in a matter of minutes or hours
- passwords are ‘something you know’
– and so anyone who knows your password is indistinguishable from you
…which amelioration the above “use password managers to protect decent passwords, and keep them well” solution largely does.
So, why? Why do I insist we cling on to passwords in the face of Mat’s suggestion that:
Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.
…which all sounds terribly secure?
The reason to cling onto passwords is that they are a distributed, non-hierarchical technology.
In short: there’s a lot less that can go wrong when the identities are discrete and thinly spread.
So, sorry Mat. You’re wrong all the way up to this point – but then you go and add:
The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.
We need to make that trade-off, and eventually we will. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
…and I’m afraid that if I were to enumerate the fearmongering number of ways that you’re wrong here, I would not finish this posting tonight.
Perhaps I’ll come back to it.
In the meantime, please reach out to Privacy International.