June 03, 2013

The Fearless Password Killers, or Pardon Me, But Your Teeth Are in My Data

A few days ago, in Die Passwords! Die!, I suggested that the venerable password -- despite the addition of extremely useful techniques such as multiple-factor authentication and other extensions -- is coming to the end of its usefulness in our 21st century computing and communications environments, and I discussed some possible evolutionary authentication regimes that seem likely to ultimately replace passwords in many venues.

Most of the reaction was quite positive, but there definitely are dissenters within my inbox as well, largely paraphrasing Mark Twain from 1897, to the tune that "The report of the death of passwords is an exaggeration."

This conveniently permits me to wring some additional mileage out the implicit horror movie motif of "Die Passwords! Die" -- and I'm not letting that opportunity pass by unrealized to its full potential.

We need only look to the stereotypical vampire film for inspiration.

Our heroes "the vampire killers" arrive in a small village. Usually there's a leader who has some sort of honorific prepending their name, like Professor Abronsius, Captain Kronos, or Dr. Van Helsing. The remainder of the crew are usually essentially the flunkies who sharpen the wooden stakes.

Despite the often horrific attacks visited on the townspeople at intervals by the local vampire or vampires, the residents may simply want the vampire hunting visitors to just go away, leave well enough alone. They've learned to live with the vampires -- deploy plenty of garlic and an occasional sacrificed virgin -- and fear any "tampering" will just make matters even worse.

To compare the "password protectors" with these terrified villagers is tempting but not entirely fair, since there are indeed arguments to be made in favor of preserving at least the outlines of our existing password system, though I personally don't feel that those arguments on balance win the day.

It's suggested that hardware-based systems could isolate password-related data in a way rendering it at least theoretically invulnerable to the sort of password hash file breaches that have now become all too common. But buying and installing new specialized hardware like this seems like a non-starter for most environments, both from cost and an array of logistical standpoints.

We're urged to find ways to get users to pick longer passwords and more random passwords. We're told we must convince them not to share passwords in ways that would allow a failure at a weak site to compromise authentication at a stronger unaffiliated site. We're reminded again about multiple-factor authentication, key management tools, one-time password systems, and other purported silver bullets.

And indeed, all of these methodologies -- to one extent or another in different sorts of consumer and enterprise environments -- can definitely make a big difference toward improving authentication security -- if designed properly, if implemented appropriately, if deployed correctly, and if used responsibly and diligently by consumers. That's a whole bunch of "ifs" to deal with.

But it's still all ultimately a holding action. You may be able to momentarily stall your friendly neighborhood vampire by holding a crucifix in front of their face, but you can't keep up that pose indefinitely, and vampires can be remarkably patient in such situations -- they usually have more time than you do.

I understand why many persons have concerns about "federated" authentication systems, biometric or other personal identifiers, and various combinations and permutations of these concepts.

And as I've acknowledged, doing these systems right -- in ways that provide appropriate compartmentalization and granularity of access to authentication credentials -- is an extremely complex task from both policy and technical standpoints. Yes, there are lots of "ifs" here as well.

But there is a big difference with these non-password techniques, and while I don't want to sound condescending about this, the truth is that if we depend on most non-techie, busy users to voluntarily manage their password environments correctly in the long-term, we are actually doing them a grave disservice.

It's easy for techies (perhaps like you, certainly like me) to forget that most users don't have the time nor inclination to be worrying about authentication details -- until something goes wrong, and panic sets in. It's not the techies I'm worried about -- we'll manage one way or another -- but it's the consumers who don't want to have to be security experts just to access their mail or bank accounts. The more complicated the demands we make of them -- choose the right passwords -- use the correct key management tools -- do this -- don't do that -- the less likely that we're going to see good outcomes overall.

In the final analysis, this is why I feel that passwords have seen their day, why we must be moving on and finding our way to better solutions, albeit requiring a lot of deep thinking and hard work on our parts.

You can try live with vampires, and you may manage it for awhile -- but in the long run it's going to be either them -- or you.

I strongly believe that we have the technological capabilities to solve authentication problems in ways that will be better for consumers and everyone else involved, without leaning on password models that are increasingly problematic.

We know how to solve such problems, if we set our minds to it -- it's very much part and parcel of what we do best.

In other words, it's -- wait for it -- in our blood.


Posted by Lauren at June 3, 2013 11:37 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein