Passwords suck

Google cryptographer and all-round security expert Ben Laurie's been blogging some great security thinking lately. Today he's got a really fascinating, thoughtful piece about the problems of passwords:
So, where does this leave us? Users must have passwords, so why fight it? Why not admit that its where we have to be and make it a familiar (but secure) process, so that users can actually safely use passwords, phishing-free?

The answer to this is deeply sad. It is because we have done a fantastic job on usability of passwords. They’re so usable that anyone will type their password anywhere they see the word “password” with a box next to it. Phishing is utterly trivial because we have trained the world to expect to be phished every time they see a new website.

Of course, we can fix this cryptographically - that’s easy. But let’s say we did that. How do we stop the user from ever typing their password into a phishable box from this day forward? So long as they only ever type the password into the crypto gadget that does the unphishable protocol, they are safe, no matter who asks them to log in. But as soon as they type it into a text box on a web page, they’re screwed.

So, this is why passwords are the worst usability disaster ever.

Do Passwords Scale?


  1. One idea (possibly not the best) could be a PGP type method.

    Have the client and server generate a public and private key. The keys are exchanged once and every time after that the browser could handle the authentication to prove that the server and the client are both who they say they are.

    Now the trick to a method like this is that there would not be one server per website, but really one server for many, if not all, websites. Once you are on the servers keyring, you could get to any of the sites supported by the server.

  2. What about a pass phrase? The system has the entire phrase, but when challenging a user, part of the phrase is presented and the user must fill in the blanks. The blanks are randomly chosen at the time of the challenge.

    It’s still about as easy to remember as a password, has more characters, and is pretty much dictionary-proof. It’s a bit similar to those image keys that some sites use, but much more personal.

  3. #2: Interestingly, my bank in the UK does exactly that: On each occasion that I log in, they ask for only a certain, random combination of letters from my password, rather than the whole thing. This also (at least partially) protects against keyloggers.

  4. @ knife sp00nie: If the parts of the phrase that are revealed are random, I just keep failing the challenge until every part of the phrase has been revealed. If the reveals aren’t random, my phishing site can just get the revealed parts in advance from the real site (by failing the challenge) and present them to the phishee.

    @ paul567: Interesting idea, but SSL already lets servers prove who they are, and it’s turned out to be of only moderate security value when it comes to ordinary users.

    Using a client side certificate to prove who you are to the server is a great idea, but it depends heavily on the aforementioned SSL working, otherwise you’ve got the same risk as with a password: accidentally giving a valid authentication response to a malicious party pretending to be the legit site.

    I guess the difference is that with a certificate the phisher can only use your response to authenticate once, rather than forever after. Maybe that’s worth something, but not much. That’s just an additional “hoop”, like requiring the CCV on credit card orders, not actually stronger security.

  5. #1: Sounds feasible. Maybe. Hmmm… At each challenge, you would need to ensure that a different encrypted message were sent. (Otherwise, anyone intercepting your authentication attempt could simply record and replay it – and phishing remains possible.)

    I suppose you could get the server to encrypt the authentication challenge (containing the unique message for you to encrypt back) using your public key. The only problem is that anyone can still obtain your public key, and then anyone can send a fake authentication challenge to you, which, if you were caught out, you would respond to, providing them with a cleartext/cyphertext pair to guess your key with – phishing remains possible.

  6. I want an AI I chat with for few minutes that can’t be fooled and recognizes me the way a close friend does – by a whole host of semi-tangible clues and cues. Someone get on that,would you?

  7. Biometrics to generate unique codes. Cheap, simple, and solves the problem. Plus, whenever you have an auto-insert program it’s bright enough to understand that the PW should only be added if the URL is an exact match to the URL at which your registered. Unlike a human, the program would immediately know that is not the same as

  8. While I understand what he is getting at, I also highly recommend RoboForm, RoboForm2Go on a thumbdrive is handy. One click to the site where it auto loads your info. It helps fight keyloggers because you never type passwords, complex and random passwords are generated and filled without typing. It also stores everything encrypted, including safenotes. I have probably 60 sites stored, each with a different random password, each password format can be controlled to comply with the site visited. It makes online banking fast. No, I don’t work for anyone, but my wife and kids :)

  9. #6: Turing test?

    #7: Biometrics are a bad idea. Period. Think chopped off hands/scooped out eyeballs.

    Oh, and I should have read #2 completely. What my bank does is not exactly what Knifie Sp00nie described – obviously my bank does not show parts of my password at each challenge. As #4 points out, that would be crazy.

  10. When I log in to my online banking, it shows me a picture and asks for the password that corresponds to that picture. It means four more passwords to remember, but a phishing site is unlikely to present the correct pictures. Of course, having four more passwords to remember makes it more tempting to write them down.

  11. Takuan: If an AI (really, an expert system) can be built that recognises you from your textual style, an AI (Expert System) can be built that can spoof your textual style. This is the voice of experience talking.

    The best answer is a mixture of technologies on the backend (PKI certificates authenticating the far end and stronger DNS protection) and a OTP passphrase generator token in the hands of the user, as well as a sandbox that links a strong key to a particular session but is unavailable until the OTP passphrase is entered – and that being the ONLY place the user is involved in entering a passphrase.

    Unfortunately, people lose the physical tokens.

  12. Everyone’s thinking about it wrong.

    Take OpenID to the logical conclusion – the point of the post.

    Don’t type a password in. Don’t type anything that even looks like a password in. Don’t select a picture, answer a question, fill in a Captcha or anything else to authenticate yourself to a web site.

    You authenticate yourself to your OS, and _that_ authenticates you to all of the services.

    Think Kerberos. If the password prompt looks entirely different to everything else on the system (it’s the account login screen), then it isn’t phishable.

    Or authenticate yourself to a token, it’s the same thing. So people lose tokens? Talking to a human to get a new token is a lot more secure than recovering a password from a web site with an email address and some captcha.

    To get a hint of what it would be like, change all your passwords to random strings. Put them in firefox, and protect that list with a single password. Copy that file onto a USB key.

    You are never asked for a password again, and attacking one remote service doesn’t allow privilege escalation to the others.

    A kerberos solution would be even more secure, because the random strings wouldn’t be passed back and forth.

  13. I like the session keys method for SSL/TLS etc – the problem there is that people will simply accept any certificate that they have to get to the juicy content that they want/need to use.

    It’s very hard to get people to actually really care about their electronic data, although anyone willing to post about a cryptography topic clearly already cares in general people prefer to care about things which have mass.

    If you came to a slot in the street which said “insert car keys here” you’d be hard put to find ANYONE willing to follow along, but passwords seem to be such a small thing – just a bunch of letters, maybe even your cat’s name – that people don’t mind to put it in if they’re asked for it. The problem which I think needs fixed is people not treating their passwords with care.

  14. Half the problem is that authentication is a two-part process, and passwords and most other methods only work on the second half: authenticating the user to the site. The first half gets pretty much ignored: authenticating the site to the user. And if you do do the first part, the second part gets a lot simpler.

    Real-life scenario: someone claiming to be from the phone company calls you about a problem with your account, and they want certain information from you. You were probably taught to ask them to give you the case number or other information. Then you pick up your phone bill and call the customer service number on it. Since you called them, and you called a number you got from a source the bad guys are unlikely to be able to tamper with, you can be sure you’re really talking to the phone company’s people. You give them the case number, your account number and a summary of what they called you about, and have them connect you to the correct department to deal with it. If the call was legitimate, they’ll have the incident on your account and won’t have any trouble picking the process back up. Doing the equivalent with Web sites would eliminate a lot of the problems.

    As for inserted content, SSL can help with that problem. Every SSL server can present a server certificate to the browser. So, when you create an account, one thing you can do in your browser is create an “identity” (just a name you use to refer to an entity) and associate SSL certificates with it. When you need to securely talk to that entity, you select them from a pull-down. From that point on, your browser won’t talk to any site that doesn’t present a server certificate associated with that identity. At that point all the trickery in the world won’t help the bad guy get the private key he needs to present a proper certificate. And when someone sends you e-mail saying “Please associate this certificate with this identity.”, you know how to respond: ignore it, go to the Web site for the entity in question and check their page listing the certificates you need to associate with them.

    There’s still ways for an attacker to get in, but they involve some pretty thorough compromises of the servers and the attacker has to keep the servers compromised for an extended time.

  15. Passwords are secrets. Secrecy is weakness. Never confuse secrecy with security. Every secret is a vulnerability, a defect patched with a word. Your secrets are your enemy’s weapons. They are your house of straw, your feet of clay. Secrecy is the antithesis of security.

    Takuan is getting closest to the ultimate solution. Why do you let your friend into your house? How do your know it’s not someone pretending to be your friend? Do you have a secret password or handshake? Are your required to sign your exchanged greetings and contact a PKI server to confirm each other’s identities?

    What we need are systems that know us the way our friends know us. Just as importantly we must be capable of knowing those systems the way we know our friends. The interactions should not boil down to a handful of exchanged alphanumerics or Turing tricks, but instead should create a personal environment in a way that familiarises us with the system on a human level so that if something is out of place it will quickly become obvious.

    The concept might best be reduced to a simple result: the time, effort, money, resources and risks required to replicate the experience to the degree that would fool a user on one end and a ‘friend system’ on the other should far outweigh the rewards gained in pilfering an account.

    Someone could, with great effort, years of study and creativity, surveillance and close calls, pass themselves off as someone you know and thereby gain access to your house. But would all that effort be worth it to just rob you? And once they’ve robbed you they must start from scratch to rob the next house.

    Yes, what we are discussing is another ‘hoop’ to jump through, but it’s a hoop thirty centimetres across, five-hundred metres up, surrounded by poisoned razor-wire and on fire.

  16. FoetusNail from afar, TARMLE, you’re absolutely correct, except the internet is not just friends. We are constantly meeting new people, and just like the corporeal world, meeting new people carries risks, even when trusted friends introduce you or bring them to your christmas party. There may be some hope in building systems that make trying to break into your home cost prohibitive, but there will still be the odd home with unlocked doors for quite sometime.

    The biggest problem is people don’t read the URL, don’t look for https, use one simple password for every account, they never change that password, and they keep that one taped to the monitor or in a note in outlook. Not to mention there are still sites using 4 digit, not even 4 character alphanumeric, passwords. And yes, it is still too much work for the average user.

    Then there is the whole other problem of failure to use anti-virus software or update OS and AV software, and a failure to use or properly configure firewalls. And yes, all this shit, even as simple as it can be, still seems like too much to many users.

  17. Umm, just use Password Maker. It’s a crypto tool which generates passwords for the user password box by cryptographically hashing a master password along with a site URL. Basically unphishable and generally very secure. Also, thanks to a Firefox plug-in, very easy to use. Once you start using password maker, having to type in passwords for sites starts to seem like the hard and inconvenient options.

  18. This article is mainly about how humans are easily fooled by phishing especially when a visual interface is presented. I think most of the responses talk about ways to make a system inwardly watch its human user more, or consolidate passwords into a secure zone.

    I’d rather see the gigahertz of my computer put to work watching outwardly the net for me like a hawk on my shoulder. This would analyze patterns of use, net traffic, browser DOM, other things running in my machine, and whatever else could lead to a phishing, zombie or whatever attack.

    The system would be open source, pluggable, and built by an expert team funded by the Dept. of Homeland Security and DARPA. Plugins/automatic updates would be signed by prominent research groups which also eligible for funding. I would feel good about using it if someone I trusted on the net reviewed it all, there would be no sneaky back channels because of open source, and the sum of many minds could generate a strong enough defense that even well-funded cyber-terror gangs will have a very bad time at building the next botnet-weapon.

    I believe this is entirely within the capability of current technology, probably even without DARPA help, the main problem being getting good people to run it and maintaining a healthy cashflow and secure environments for all of the contributors. It can start small but would have many advantages over commercial firewall/antivirus software. Recently I have found even the package I was told is the best actually misses some attacks that other ones pick up. (In my case, Kaspersky missed something F-Secure picked up twice.) There is no way for users to be guaranteed a good solution, therefore I suggest an open platform with lots of funding that will lure experts / companies with experience into cooperating together with the community. It’s a social problem, not a technical problem, because the user is all alone fighting other humans who are well-organized. Time to turn the net metric against them.

    Matt R

  19. I personally use 1 password that is secure and just use it everywhere. I never write it down, never share it and when it gets burned (like it did when Intuit, the fu*king TurboTax people emailed it back to me in plain text) I change it. Now, I’m part of the 1% of interweb users who understands how a certificate can tell you that a web-site is who they say they are but, as the aforementioned TurboTax debacle, a cert can’t tell you that the web-site you set up an account with will keep your password secure. If you want to make passwords secure, you also have to make sure that everyone who receives them will treat them properly.

  20. Passwords do suck and can be annoying (to say the least) and risky, when we type them.
    But what if we don’t have to type them anymore?

    A quick link to a product blogpost on secure auto login into sites.

    Louise (Passpack)

  21. there is no such thing as an unbreakable password– only ones that are harder to break
    so look at what you are trying to protect and use the approprite measures to make it more difficult for those who want that info.

    if you want to break into one of my spam e-mail accounts feel free… If you want my bank info you’ll have to work for it

  22. In a new age of fiber optic connections let quantum physics be the guide. Schrödinger cat in a box. The ‘password’ shall be known by nobody. When the mere act of observing interferes the whole process our internetz will be safe at last.

Comments are closed.