However, as a single datum for identity correlation, there are several failure cases for passwords.
First, 2 quick definitions:
a) losing a password: my password is no longer accessible to me, e.g. I forgot it, or it was changed.
b) password is compromised: someone else can use my password. (The amazing Jeremiah Grossman has a recent blog post on how password compromises can happen, as well as some potential work-arounds.)
Now, the failure cases:
1) Password protects something important. What will happen if my password is lost or compromised? Will I lose money from someone compromising my online banking password? Will one of my friends post as me on Twitter if I leave my computer unlocked? Or did the only person who knew the code to the armory door just get shot during an attack? If there is harm that can be avoided by using other security measures, is it worth the probable inconvenience to overcome the potential for that harm?
2) Password can be intercepted. Can someone else compromise my password by watching it in its path between me and the site/service? The classic response to this question is "We use SSL/TLS" - which encrypts the network traffic so it can't be read if it's intercepted. However, an equally effective form of this attack is shoulder-surfing, where I simply watch you as you type your password. The classic solution for shoulder-surfing is user education. However, attendees at a recent security conference seemed oblivious to being shoulder-surfed, even by someone taking their picture.
3) Password can be stolen. There are several well-established techniques for verifying passwords that don't require the site/service to keep the password around. Storing the password - even in an encrypted form - isn't necessary. Furthermore, if the password isn't stored in any state it can be recovered, then it can't be stolen, even if someone copies all of the files from the server.
4) Password is guessable. If the password is based on PII, it's a lot easier to guess. If your dog's name is Fluffy and your password is "fluffy", then I can probably guess your password, especially if it's the password you use for the blog about that dog. There are tools specifically made to gather information about people - and computers are very patient at trying lots of passwords.
5) Password is too complex. One answer that has been proposed to several of these failure cases is to enforce complex passwords - must be at least 8 characters, mixed case, at least 1 number, etc. This is not the way most people are used to thinking. As a result, it becomes difficult for most people to create a password that satisfies these criteria which they can actually remember.
6) Password reminders / reset. The demands of complex passwords tax the capacity of the average user to create a strong password, and exceed their ability to remember that password. Mindful that these passwords should not be written down (even in pencil), users naturally forget. System designers must therefore add in password reminder or recovery methods - which of course become alternate means for attack. Quick show of hands - whose first car was a Honda? (Keep your hands up while I write this down... j/k).
No wonder there is a desire to avoid passwords - they're the worst solution, except for all of the others.
Coming soon:
- Doing passwords right, or at least not failing
- Parameters for non-password authentication
No comments:
Post a Comment