Password woes

Currently, in our digital life, we use plenty of secrets to identify ourselves to the services we are using.

The most common form of secret is… password.

But password are a pain to use (safely), to remember (long term), and to share.

The higher we use services the lower our security. Why ?

The problems with passwords

Security researchers all preach the same lesson:

  1. Don’t use the same password on different services
  2. Don’t use simple password
  3. Don’t communicate a password (either on a paper, or on an unencrypted communication link).

Why do they say that ?

Mathematically, a password should be random secret so that guessing it requires testing all possible password “space” (in the case, someone wants to break YOUR password).

The security comes from the fact that password are random. If an attacker can alter this property, then the security breaks up.

Password should be unique so that “additional information” leaked with a credential pair does not removes the randomness property. When you reuse your password, an attacker can link two services with the same “user”, reducing the space to search to whatever common denominator for both services.

Obviously, if you write a password, or communicate it in clear, it’s no more secret.

Why are password so complex ?

Computers are good at doing simple tasks fast. They can count up to 4 billions in seconds. Searching a password space is “easy” for them. Password are meaningless for them, they just check if the secret transformed by a function verify a condition.

Because of this, the service providers have to make more and more difficult rules to make this task harder. They impose a minimum length for the password, they prevent only lowercase or whatever character set. All of this makes the computer based searching harder, but at the same times makes the task almost impossible for us too.

The harder it is for computers, the harder it becomes for humans.

Why doesn’t it works for us ?

Humans on the opposite, are very bad at repetitive tasks. We don’t memorize random data easily and for long.

Forcing us to remember meaningless random numbers is a vain operation.

Our memory is organized for semantic. Links between “event” are obvious to us, we filter meaningful “events” faster than what a big computer can do. When you remove meaning, we are as bad for storage as a post-it stored on a random page of a contact directory.

Whenever we are imposed a rule for password, like for example, when a website put the dumb rule: no lowercase letter only password, then it removes a piece of meaning for a password.

What is the use for such a rule ? None.

If someone wants to use lowercase only password, then it should be allowed too.

If you did not had such rule, then other 10 users for your service, and maybe 4 will use lowercase only password, the 6 remaining will not.

Does it improves brute force searching for the password ? No. A computer still has to test for both lowercase and uppercase (and mixed) password.

Does it makes our life easier ? No. Because if you had a way to attach a meaning to this password (or service), then likely this is going against this rule.

Worst of all, the rule is explained when you register for the service, not when you have to enter your password. (Which can happen months later).  Meaning was lost, so was the rule.

Some people are using an “meaningful” algorithm to generate password. They have a “master” secret, and derive it for each service. With this, they link meaning with a random value.

Obviously, we are not good at processing data, so the algorithms are basic. If a service is broken and a password is revealed, the other passwords for the other services will be close (in the space of possible password). Yet, it’s better than nothing.

When a service imposes a rule, it can break the mental algorithm, thus giving back the issue we’ve seen above.

Another dumbness : password reminder

Because of the above difficulties, most services don’t ask us for typing the password on every page. They stores a cookie on our computer, and instead use this to identify us.

For an obvious security reason, the cookie can not stay forever. But at the same time, asking to enter the password every… minute… would be a pain.

So services are doing another dumbness here: they set the lifetime of the cookie for days (or month). Instead of forcing people to repeat the password (and doing so, marking the password stronger in our memories, easier to remember), they lower the security and increase our difficulty.

When a service finally asks you for a password one month later (you’ve been using the service for a complete month and completely forgot about the password, and the dumb rules for it), you’re struck.

Because the service can not afford to loose a user, it has to provide a “password reminder” feature. What’s that beast ?

Either the service generate a new random password for you and send it to you (which, in turns will go over an unsafe communication link: your email transit is clear most of the time). This password is impossible to memorize, so you’ll have to set again a new password in the “change password” feature of the service.

Either the service asks you a secret question (that is: another password, with all security removed, since there is no restriction to it, and worst, the searching space is ridiculously small) to let you change your “strong” password…

I think the worst dumbness is when a service forces you to update your password at regular intervals, preventing you to reuse a previous password.

All wrong.

Password keeping software

Because of all the dumbness above, developers tried to fix the dying beast by adding another layer of (in)security.

Some software proposes to remember the passwords for you.

It breaks rule #3. These software have to store the clear password somewhere (hidden behind a “master password”, which is not a bad idea by itself, but unfortunately it’s badly applied). I’ve used the word “hidden” explicitly here. The cryptographic algorithms used for cyphering the other passwords are (almost) all based on symmetric cryptography, where the key is derived from the master password via a “password deriving function”.

If someone get access to the storage of the device containing such wallet, he has plenty of time to brute force the master password. The password deriving functions are made to be long to compute for a typical computer, not hard. The search space is huge, but not infinite. When the master password is decrypted, so are all your passwords.

Worst, if you loose your device, or it fails somehow, then all your services are unavailable to you (you don’t remember all the password in the first time, don’t you ?). So you’ve to make sure the “security questions” are true so you can get back in for all services. In the end, you have reduced your security with a software that was supposed to increase it.

So what to do instead ?

As a service provider, the minimum effort solution is to allow very long password, or to be more clear, a passphrase. Let the user choose a meaningful sentence from a book or a TV show, whatever. And better, let her also tag the password’ hint. If someone choose a sentence from the Bible, the hint could be “holy book”. Let human shines where they are strong at, making links and filtering meaning.

Another solution, is to use human advantages against computer. Human extract meaning from pictures, music, or movies in milliseconds, while machines don’t.

For validating user, let her choose an hint (for example ‘animals’) and then let her choose their favorite pictures of animals, refining the “search”. The search space has to be large, but not as large as for character based space (remember, computers are bad at processing pictures meaning). The user could even provides her own picture.

This provides numerous advantages.

First, in case the service is hacked, the “password” is useless without the corresponding database. And this database can not be downloaded without a noticeable impact on the service. Then, “reverting” the password (that is: the process of trying the password hashing function for the complete password space until it hits a match) can not be done without a human, and human are not good at repetitive tasks.

Neither allow too much failed password attempts. Once the password are back again with a meaning, user will not forget them. If a user is trying 10 password tries, something goes wrong. Lock the account, and send a mail to the user giving her a challenge (for example, a choice between 10 (or 50, whatever) pictures with only one being in the range of what she selected). The probability of having the correct answer randomly is not 0, but has to be set low enough to avoid false positive.

If you are paranoid, retry few days later, with another set.

In other words, be proactive, but do not break the meaning.

A long term solution would be to have the user provide a secret from her own machine. A picture, or a part of a picture for example. The password would “match” when presented with a stack of pictures (probably processed, like inverted, rotated, color shifted), the user selects the area of interest on the single picture that’s worth it.

Again, use what we are good at for categorizing human from computers.

A world without passwords is possible, provided the computers start using our rules, not theirs.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s