In cyberspace we are facing password fatigue, caused by having to recall (seemingly) endless streams of (apparently) unrelated numbers and letters at odd times. One answer is to make those passwords longer and more incomprehensible. The logic here is that people have an unlimited capacity to remember such things, or perhaps they have an unquenchable desire to write passwords on yellow post-it notes. Why do we want or need passwords at all?
Mike Johnstone is a Security Researcher and Senior Lecturer in Software Engineering at Edith Cowan University.
We want to be assured that only the right people (ourselves) have access to the information contained in the systems we use. Witness the after-effects of the Ashley Madison hack.
So many passwords
Privacy is a basic human right and one that many people take seriously. Authenticating to many systems is something most of us do without thinking every day. Unfortunately, those systems often have different rules about what is considered a good or acceptable password.
The need to remember competes with the requirement for security leading people to devise memorable (to them) schemes for passwords that they think are unique and unguessable.
For example, if I have to access 12 systems, I might use the months of the year, coupled with my birth date and rotate combinations around. At face value, this appears a clever scheme because no-one else knows my birth date.
Except of course for several government agencies, health service providers, an insurance company or three, some social media systems (which might have been hacked recently) and anyone else with whom those bodies share information. Of course, then there are my family and friends with whom I like to celebrate my birthday each year.
I could use the dog’s name instead. No one is aware of that. Except of course for the local vet, anyone who hears me yelling at the dog down the local street, my legions of Facebook friends and so on.
Coming up with so many different and apparently secure passwords that you can remember can be tricky, despite the many tips and guides, hence the password fatigue.
One potential solution is a single sign-on for many systems (into one, into all) – an idea which is interesting, but also has its own issues.
A different approach
To quote from Led Zeppelin’s Stairway to Heaven: “Yes, there are two paths you can go by, but in the long run, there’s still time to change the road you’re on.”
One path is systematic, based on the idea that if small passwords are bad, the answer is larger, more complex passwords. For example, Microsoft now says it wants to compile a list of what it calls dumb passwords that will not be allowed on its system.
That dumb passwords are a problem is undeniable, as the online security company SplashData gleefully publishes its annual list of the most common passwords, where “password” and “123456” are, ahem, quite high in the list. This shows people choose convenience over security when it comes to setting a password (but they still want privacy).
The systematic response is that users are constantly being asked to set more complex passwords with upper, lower case, numbers, symbols etc., to the point we get password fatigue. Asking us to keep changing passwords just encourages minor or incremental changes to the same supposedly unguessable passwords, something even Britain’s intelligence agency GCHQ recognises is a problem.
This mode of thinking works well for some problems, but the whole idea is rendered moot when anyone can easily download a lists of millions of the most common passwords.
Yes, “123456” can be cracked in a fraction of a second, but a random 15 character password could be cracked in less than a week using relatively inexpensive hardware. It all depends on the time value of information. Your bank account will still be there in seven days (the funds remaining therein are a different matter).
Think again
Do we need to re-think the whole system? The other path is a systemic approach. This uses the concept that components of systems are connected in ways that are not immediately obvious.
An example of a systemic effect, that could not have been predicted directly, is where Cornell University’s associate professor Garrick Blalock and his colleagues found that driving fatalities in the United States increased significantly after the September 11, 2001 terrorist attacks. The reason? People chose to travel by car in place of aircraft, the former being much more dangerous.
So what might a systemic solution to password fatigue look like? If longer passwords are not the answer, but we still need to authenticate ourselves, why not dispense with passwords altogether?
When we provide a credential, it is one (or more) of something we know (a password), something we have (a card) or something we are (some physical property of ourselves).
It is this latter idea that is most attractive. A biometric signature – such as your iris, retina, thumbprint or voice print – means not needing to remember anything, not having to bring an access card. You just be yourself and some property of you will identify you. Such a system would be very hard for any cyber criminal to replicate or hack.
At present, biometric solutions are expensive (compared to other technology) and imperfect (they get it wrong more than we would like), but the future would be nicer if you could phone your bank account and be authenticated by your voice print.
You could then simply ask to transfer ‘X dollars’ to the travel agent for a holiday and book a rental car, all at the same time, without having to remember three separate passwords (or you could just talk to a real person).
This article was originally published on The Conversation.
Comments
10 responses to “There Must Be Smarter Security Than A Ban On ‘Dumb’ Passwords”
Article Summary:
Passwords suck.
All current alternatives suck more.
I wish people smarter than me would solve this problem.
This was the best a senior university lecturer in software engineering had to offer?
and your solution to passwords/passphrases is?
Double factor authentication.
But you know, if I were a senior university lecturer in software engineering who felt a need to write 950 words on the subject, I might posit an even better idea!
A ban on dumb people..
He probably saves the big guns for when he gets paid for his advice…
I surprised he didn’t suggest 2FA or 2SV as something to enable if feasible…
https://xkcd.com/936/
Pretty good solution. Probably dont use ‘correct horse battery staple’ though.
What about an open platform one time password system. You sign up to a system, than have a relationship establisthed between it and any system you wish to access. You can then have an app on your phone or computer that provides the password you need to enter.
Oh wait that already exists………
Shouldn’t most systems lock the account after a few incorrect attempts at ‘guessing’ the password? So even the most basic passwords should be reasonably safe. Am I missing something?
Auto lockout is useless if the password DB gets into the possession of hackers and the passwords are decrypted.
Having complicated password delays the process.
Dictionary-based passwords are run against it first when a hacker does their brut force.
The problem worsens if the compromised account holder has reused the password multiple times.
The problem with biometrics is that you can’t change them. Once any auth based on that is stolen, it’s now useless forever.
Worse, current face and voice recognition tech can fairly easily be spoofed, for example: http://www.popsci.com.au/tech/face-recognition-security-even-with-a-blink-test-is-easy-to-trick,401860