Kill the Password

http://evilbobdayjob.blogspot.com/ Deidzoeb

So is this a story we should take seriously, or file this along with Wired’s provocative proclamations that the web is dead, science is obsolete, and we should use burrow owls as fuel rods in nuke plants? (Dammit, the hyperbole seems to be contagious.)

Paul Renault

I was going to wait until I actually read the article before I posted something similiar, but, thumbs up, Deldzoeb!
bardfinn

This is a story you must take seriously. I’m one of those übernerds that use long, xkcd – strength passwords (MustFishChurnXDB#, as an example). Because I re-used the password I used for Twitter as a FaceBook password, (yes, bad me) and due to a security problem that Twitter had/has that allows an infinite amount of distributed attempts to log in, my Twitter password was cracked, and within a few hours, someone was trying to log in to my FaceBook account from an IP address near Chicago. This happened while I was asleep. FaceBook has a system in place to disable the account login when something like this happens, thankfully. They also have two-factor authentication (a pass code SMS’d to your mobile phone) available.
I spent a day changing every password I have on every account I have to a separate string of random values. I think I am just lucky that no-one was trying hard to get my bank account or gmail account.

If you’ve ever used a password to log in to some dinky game written and hosted in (let’s say) France, and their servers are broken into and their unencrypted – or unsalted – passwords file is stolen, that password is now being thrown against every email address ever known, every username that shows up on every discussion board, etcetera.

This needs to be a global discussion, a priority, and a memeological/cultural revolution. It’s overdue by more than a decade, called by computer scientists in 1999/2000 when the news of L0phtcrack broke.

And, as we now know, ignoring the scientists means you have to scramble to get out of the rising water when the hurricane makes landfall.

MC Frontalot released “Secrets From The Future” five years ago.

Well, it’s the future, now.
- Paul Renault
  
  Well, me, I’m one of those super-übernerds, I guess. I use long LastPass-generated much-better-than-xkcd-936 passwords – which are unique to every site.
  
  /Bonus: LastPass’s Autofill likely prevents look-alike sites from stealing your log-in info.
- cx52
  
  I’m not an ubernerd, but I have always instinctively used a different password on every site I’ve registered with (excepting throwaway accounts). I’ve also never bothered to fill in what town I come from etc, seeing this as an obvious security risk. I write my passwords down in a book so that I don’t forget them. I also memorise the important ones. I’ve hardly given the matter any thought, but I’m still secure against the attacks described. So I don’t think it’s a question of getting rid of passwords, just changing habits slightly.
- http://evilbobdayjob.blogspot.com/ Deidzoeb
  
  I read the article and it convinced me to change all my passwords along the guidelines they recommend. Still think it’s appropriate to take Wired cover stories with a grain of salt.

Russell

Oh god, is Honan still banging on about his ‘epic hacking,? What an utter bore.

retepslluerb

I still refuse to accept the expertise of a “senior tech writer” who doesn’t even run a backup.

bardfinn

Bluntly,
The fallacy you’re succumbing to is argumentum ad hominem, argument to the man. His security practices of the past are irrelevant, his backup practices of the past are irrelevant. His argument is sound, and his argument should be evaluated on its own merits.

It is also the same argument that has been put forward by security researchers, computer scientists, and techies for a decade. Google’s security team recently announced that it wants to kill the password.

This is a sea change, and most people are only now realising it.
- retepslluerb
  
  Actually, a good part of his argument is that passwords do not protect against bad practices, which, in his world, are somehow unavoidable.
  
  The same bad practices that got him into the mess a couple of months ago.
  
  As a user, he can never be sure that the service he uses use good practices, so he has to assume that they don’t – and act accordinly.
  
  I stil don’t see him doing that.
  - bardfinn
    
    The bad practices are just human nature. I’ve worked IT security, audited passwords, etcetera etcetera – and over the course of a decade, no matter how much training users are given, no matter how hard they are incentivised, they still use poor passwords. Or they re-use passwords. Or they have a socially-engineerable weakness in their linked accounts. Or they have to log in from a machine with malware on it. Or they log in on a WiFi hotspot that has no client separation and use an application that transmits their password in cleartext, or with an easily-crackable industry standard (MSCHAPV2!)
    
    Most people cannot sit down (they don’t have the time, between work and family and society; they don’t have the training) and work up a complete security model of all their online accounts, how they are linked, how they might fail one after the other.
    
    Asking them to, is akin to asking an iPad user to use a command-line interface, even for a day. There’s a large space for professionals to work out how to handle authentication in a secure, robust, and simple-to-the-user way, and present it to them – ease of use is what most people put their money down on the table for (how many million iOS devices? How many billion Windows machines?)
  - bardfinn
    
    Or, to put it another way -
    
    Microsoft made billions upon billions of dollars, making computers interface with people in the way that people behave naturally. Apple makes billions upon billions making computers interface with people in the way that people behave naturally. Siri / google voice search / GUIs / cameras / motion sensor / touch screens — are all things that have come about recently, and allow people to interact with their computers naturally.
    
    But we still keystone our lives around a forty-five year old practice that is falling, failing, against the onslaught of readily-available and cheap storage (for rainbow tables and password lookups) and processing time (for cracking just-good-enough encryption).
  - Ito Kagehisa
    
    I think you pegged it a lot more concisely than I did!

Ito Kagehisa

It’s a pretty bad article. It raises legitimate concerns, particularly about companies’ willingness to be socially engineered, but there’s very little logical connection between the premises and conclusions… it reminds me of Monty Python’s logician sketch.

Let’s look at this statement, for example:

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all.

Yo, a seven character password protecting three important accounts, one of which contained online banking information? What is that, 40 bits of entropy? That hasn’t been considered “robust” in more than twenty years. Sure, I’m paranoid, but I was using 64 character passphrases in the early 1980s, when that first became possible, and today I use 4Kb crypto keys. But how is the fact that a person used a ridiculously weak password (you can brute seven characters with a big botnet in less than a day, I’ll bet) an indictment of all passwords? How is the fact that any idiot can social engineer AOL, Apple, or Microsoft into resetting the access controls on an account a criticism of a particular type of access control? If I use radio waves from Saturn to control access, but you can make one phone call and change the requirement to radio waves from Pluto, that hasn’t got anything to do with how well or how poorly radio control works.

Here’s another whopper:

We can’t possibly have a password-based security system that’s memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset, and yet also secure against brute-force hacking.

Oh yeah? Write a song. Memorize it. Or just memorize your favorite song. Don’t tell me you can’t memorize a song, because that’s bull. If you really can’t memorize a song, password security will be the least of your problems trying to operate a computer! Sing it twice a day for a week and then every half hour for a day, you’ll memorize it. Now, your password algorithm is this: on each site you use, take the initial letters of each of the words in the first verse of the song. Sing it silently in your head while you do this, touching the appropriate keys as you go. If any of those letters occur to the left of the first dot in the site’s hostname, don’t press them, otherwise press.

Example: Song is Donald McGillavry, by Silly Wizard. Site is gmail.google.com, so the part to the left of the first dot is “gmail”. So the password is “DuthhhDcdthwDwctncHttkDCwDCwDBtfbtcOwtcD”. Crack that noise, eh? If the site requires non-alphanumerics use the punctuation (there’s plenty in nearly any song) and it gets even better. And the only thing I have to know is a song. I could use a song that I like to sing incorrectly, too – ‘scuse me, while I squish this fly (Purple Haze, by Hendrix). And within I week I’ll rattle that baby off with the song playing in my head at full speed.

It’s not hard to build algorithms like this, once you start using normal human patterns like songs or poems. I literally just made that one up, from my head. Strong passwords that are memorable are achievable to people of even low average intelligence.

bardfinn

Mr. Honan’s point is, most people

Don’t know and can’t care what entropy is as regards information;
Don’t and can’t memorise 64 character passwords;
Even if we teach people to memorise a technique for generating passwords, even if they’re unique to each account they have, there’s still going to be malware that hijacks passwords.

In addition, software can be taught popular methods of password generation, and if the technique you propose above were popular, it would be trivial to reverse the source of your password in realtime (the software already exists; it’s working out missing DNA sequences, which are just a string of likely letters to it).

“Most people can’t be bothered with” is the underpinning of his point. Can’t be, won’t be, aren’t able to. I have worked IT security administration, audited people’s passwords, set policies, led seminars, impressed the utter importance of using strong passwords, and teaching people password techniques doesn’t work. Soft-enforcing password policies doesn’t work – even when their multi-million dollar jobs and businesses are on the line!
- Ito Kagehisa
  
  I think I just refuted Mr. Honan’s claim that people can’t memorise long complex passwords. And nobody really needs to understand any of the technicalities, they just need to use a long complex password. Look at it this way: my children had memorized a randomly ordered 26-character string when they were two years old – because I sang them the alphabet song for two years. Anyone who can use a computer productively can memorize at least 26 character strings easily.
  
  If you want, I will happily give you a couple dozen long passwords from the very same algorithm I made up for the previous post. You may use all the DNA software you like, for as long as you like, and get back to me when you figure out the song I (ab)used. Then I’ll give you another dozen from an algorithm you don’t know (maybe the one I actually use ^_^ ) and you can get back to me with a solution some time after the heat death of the universe.
  
  Honan’s few valid points are not issues with passwords; but rather an issue with access controls. If access controls can be subverted, trivially reset, or intercepted it doesn’t matter how hard to crack they are. Pinning this on passwords is like saying cows are bad because they are the only animal with hooves.
  
  Your own points are better made. People’s behavioral issues are not trivially solvable! And there will always be people who look at examples of good password algorithms and pick one, instead of making their own. Back in the day when we used to troubleshoot Novell networks we always knew we’d find networks numbered 1, 5, and 7 – number one is what hyperrational people always use for the first net they make, irrational people think the number seven is lucky, and number 5 was the example in the most popular book.
hughstimson

And you expect people to accurately enter “DuthhhDcdthwDwctncHttkDCwDCwDBtfbtcOwtcD” or the equivalent on their phone keyboards?
kromelizard

Yeah… your password creation method works for one, maybe two or three, passwords. But as a general practice? Is completely unworkable, as are most secure password practices. As so many security experts harp on about, you should have multiple unique passwords, one for every login the most extreme encourage. And they say you should change them periodically. The average person has many, many more than just one or two they have to keep track of. I, personally, have:

Three active email addresses
Four active social media accounts
Three active bank and financial services accounts
Four active utility accounts
Two streaming video services (kind of stupid but Hulu and Netflix don’t individually offer enough)

Not to mention a login on every online site that requires one for purchase that I have ever shopped on and whatever other junk I’ve created a login for and forgot about.

That’s 16 passwords needed in my day-to-day life and I haven’t even gotten to the passwords needed for my job. You could add another dozen for that. That’s approaching thirty distinct login and password combinations I have to accurately enter on a regular basis in order to get through the day, plus probably another ten or so that I do not use regularly. Using a distinct secure password combination for each and every single one of them, something like what you suggest is utterly impracticable. Unless, of course, I just write them all down. But then I expose myself to password theft by those nearby.

This is the problem with passwords, and why pretty much all advice about creating and using strong passwords is completely worthless.
http://twitter.com/coherent_light Scott Elyard

“DuthhhDcdthwDwctncHttkDCwDCwDBtfbtcOwtcD”
There seriously must be a better way than this. This is terrible. I don’t care what mnemonic you used to come up with it, just entering this on a regular, full-sized keyboard is going to be a serious pain, and on a mobile? Prone to error, and frustrating as hell to re-enter.

Remembering where the non-alphanumeric or just number characters are supposed to be wedged into this is a problem, too, since a lot of places require these. It almost makes sense to just request a new password/reset every time I visit a site.

ethicalcannibal

I agree with this. I have so many passwords for school, work, social. I can’t keep up with them all. I tried some of the password management solutions, but they were so damn inconvenient. Can’t use it on this device, or that device. Lost your log in to that? Lose everything. Also, some of these solutions are expensive, which doesn’t work for me.

My solution? To keep a small pretty bound book in my nightstand with all my passwords in it. I have over 200 entries. There is no way I can sort that all out without help. Not and keep the passwords on a level that would be considered secure, with minimal redundancies.

I’m an egregious case, but I’m not the only one. How many people keep the same password for everything? Keep it on a sticky under their keyboard? This password method seems to fight against what most (Non techy) users can and will do to protect their information. I am vaguely aware of what I should and shouldn’t be doing for passwords, but in my day to day life, that doesn’t really help me. I simply have too much to access.

Nadreck

There are a lot of concerns about computer security today but this article isn’t a good starting point to think about them. It conflates several problems into “the password problem”: the modern insecure operating systems, putting sensitive information in clear-text files stored on remote servers, the wilful reckless negligence of service providers, the mono-cropping effect of Windoze and so on. It, like most other discussions on the subject, ignores the existence of password keychains and password management systems: which have been around for decades. If users have no internal memories and can’t be trusted to generate non-trivial passwords then just generate them all from /dev/random and give them one password to remember: the keychain password. It’s no cure-all but it’s at least a starting point to deal with one security problem. Can we please stop talking about remote passwords as if they *have* to be human usable or generated by non-pseudo-random algorithms?

Also missing is a discussion of relative security. No one expects the lock on your front door to be perfect or to be 100% of your security. But if it’s even slightly better than your neighbours and you take the time to do something about your windows’ security most thieves will pass you by for the low-lying fruit.P.S. – Before someone brings it up: yes, if someone then steals your keychain file and the password to it is “password” then you’re doomed but if your OS is that insecure you’ve got multiple keyboard loggers installed and are doomed anyway. As the author of this article finally gets around to discussing, no security component can ever be fully trusted. You get trapped in an infinite regress of “Well then, if a is less than 100% reliable I’ll use b to protect it. But wait! B is less than 100% reliable too so I’ll use c to protect it. But wait!….”In the end you have to put your foot down and trust *something* or (better yet) a weighted average of somethings.

bardfinn

Well, password keychains are wonderful things. There’s a problem with them – they’re on one system.

People – even in this age of personal mobile computing – don’t use just one system. They use the computer at the library to get access to Lexis Nexis, the one at the courthouse to look up open cases, their blackberry for their work email because it is mandated, their child’s / spouse’s iPad for a game, their Nook for web surfing … that’s five machines, with five different keychain files, and five different keychain management systems, if indeed they all use keychain management — which they don’t.

It doesn’t matter if the keychain is used, or is strong, if there is no widely-accepted and widely-implemented strong keychain management solution, if it is trivial to socially engineer a password reset and intercept it.

Google recently introduced application passwords – one-time use, per-application-per-device, strong awesomesauce, and which relies on your device’s keychain management (your device’s own authentication). It’s a step in the right direction, but people still need to log in to the web interface, and still need to remember a password to do that.
kromelizard

Keychains offer no real solution to someone who needs to be able to access from multiple machines of variable security levels. Which is a not terribly uncommon need e.g. workers who don’t have fixed workstations, people who need to use public machines like library systems or student’s using school computer labs, or just a user with multiple devices with incompatible operating systems.
Nadreck

Both bardfinn and kromelizard bring up excellent points about keychains. We could go from there to ask why OS vendors don’t support cross-platform PKCS cryptography standards so that you could put your keychain on your keychain drive and why it’s a bad idea to access the accounts you use to pay your mortgage via your PS2 or the library computer.

But my main point is that articles like this seem to come from some odd parallel universe where keychains don’t exist. They don’t even begin these discussions and make sweeping statements about how really long random passwords can’t be used because you *have to* memorise them.

redstarr

When my hubby played World of Warcraft, there was quite a bit of trouble with people’s accounts being hacked. My hubby’s account, even with a somewhat difficult password he used only for that, linked to an email he used mostly only for that, still was broken into. Then Blizzard came out with the authenticator devices, a little plastic keychain type thingy that you had to use in addition to your regular password. He never had another security problem again. No one he played with that used the authenticator had any troubles.

While I wouldn’t want to have a whole cabinet’s worth of little plastic gizmos to be able to log into each and every site I use individually, I could see having them for things that would be a big hassle if they were messed with like email, facebook, online banking,etc.

Ito Kagehisa

That thingy is a SecureID token, and they are great. But they are vulnerable to nearly all of what Mr. Honan’s talking about – which is theft and fraud and bad systems engineering. From the article:

For example, last spring hackers broke into the security company RSA and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. RSA never divulged just what was taken, but it’s widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens’ device IDs, they’d be able to penetrate the most secure systems in corporate America.

So Blizzard moved their access controls out of their own (clearly incapable) hands into RSA’s hands, which was a huge improvement (my son had similar experiences to that of your spouse) But then RSA got cracked, and they tried to hide the fact they’d been compromised, and they are still hiding the details of what happened and how bad it is.
- Ttttst
  
  FYI, Blizzard doesn’t use the RSA device. They partnered with VASCO and use theirs.
  
  And while obtaining a database of token keys is a pretty huge win for hackers, they still have to match each key with the otp algorithm and then figure out which user ID it is associated with. This is still a more complicated process than just capturing passwords.

http://glitch.tl/ Michael Smith

I am applying for work at the moment and every online job registration form has its own authentication system. So I usually use the same username/password combination but some of them have extreme password security requirements so in practice I hardly ever revisit these forms without using password recovery by email.

http://anti-virus-rants.blogspot.com imaguid

the problem with all the arguments for ditching passwords is this:

computers can only operate on information. when it comes to ‘something you are’, ‘something you have’, and ‘something you know’, information falls into that last category. the information may not be stored in your brain, but the computer doesn’t care where it came from. all the computer cares about with respect to authentication is whether this piece of information matches that piece of information.

good luck getting rid of passwords – in the digital world, all authenticators are reducible to passwords because they all have to be converted into information in order for the computer to operate on them.

when you stop focusing on the analog world’s question of “password, token, or biometric?” and start focusing on the digital world’s question of “how can i keep my authentication info secure?” you’ll be approaching the problem from a much better angle.

DewiMorgan

Proving that you are you, and someone else is not – has not, and never will be, possible over the internet.
It’s close to impossible in person, for crying out loud!
It’s a very interesting problem, but the closest you can get is approximations; levels of certainty.

Andy Reilly

The problem with this article is that it blames the password, but keeps holding up examples where people social-engineered their way into an account that was then linked to other accounts, or where people hacked into a company like RSA and then RSA hid the true damage from customers. Accounts that are easily social-engineered, bad. Linking accounts, very bad. Weak passwords, bad. Thinking that a device (like RSA’s token) magically fixes everything, bad. Also, never backing up your stuff because it’s spread across many devices, all of which respond to a remote wipe command?? Bad. He really should title the article, “How Even Someone Who Writes for a Tech Mag and is Surrounded By Tech Can Have Awful Security Practices”. But that wouldn’t have been nearly as hyperbolic. Or maybe just “Linking your accounts will get you hacked!”. Because that’s where it all went wrong for him, having all his accounts linked to one that had a terrible password reset policy. I guess you could justify his “THE SKY IS FALLING!!” take on it, that hopefully the people that read his stuff will change their ways.