The Password Is…

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

From 1961 to 1975, Allen Ludden hosted a game show where two celebrity-contestant teams tried to guess words by giving one-word clues. An unseen announcer would tell the viewing audience what the ‘password’ was. It was interesting to see how people tried to get their partner to say the correct word when the hint could only be one word.

These days, compliments of the unending stream of data breaches, the bad guys don’t even need one-word hints and they don’t need to guess your password. If you fall into the majority of computer users, you reuse passwords and worse, they’re probably weak passwords.

Weak passwords used to be the main sin that needed to be eliminated in computer use. What used to be the definition of a weak password? A password that did not have a mix of upper case, lower case, numbers, and special characters. Based on that thinking, many websites put up so-called ‘strength meters’ to measure how good your password was. Unfortunately, most of these meters would say that P@ssw0rd! was a ‘strong’ password. Hopefully, you see the fallacy here. Is this a better password: horsebatterystapleorange? Actually, unless you have used it before, it is MUCH better, even though it is all lower case. It is better because it is longer. After not using a password more than once, the next most beneficial characteristic is length; the longer the better. Most experts would suggest that 12 characters (not the old standard of eight) and probably 16-20 characters is a much better length for passwords today. The reason is that the horsepower needed to crack eight character passwords is readily available, while even much longer passwords can be cracked with some relatively inexpensive equipment if the bad guys have the incentive to take the time. Data breaches remove that incentive.

Let’s take 14 characters as a minimum, and let’s impose no other requirement on the composition other than it must be a random sequence. In general, humans don’t do well remembering random sequences. Having to remember 200 hundred or so for all the online and business accounts people have would be next to impossible, even if someone wanted to do it. Hence the move to eliminate passwords. We have a collection of add-ons to bolster passwords or hopefully replace them. We have MFA, 2FA, authenticator apps, authenticator tokens, security keys, and let’s not forget everyone’s favorite, biometrics.

While there has been an endless stream of articles and conference sessions on the imminent death of the password, it is still the basic form of authentication. A search for the phrase “end of passwords” yielded 2,870,000 results.

I think I can say without fear of contradiction, that everyone hates passwords. So why are they still in use? Because they are easy to implement, plain and simple. However, since they are proving to be less and less effective as a security measure, we see other things being tried.

Let’s take biometrics. I was watching a science fiction show on TV the other night. To gain entry into the top-secret lab, the agent had to pass a palm scan and a retinal scan. That seems safe and effective. Of course, the civilian version of that is seen today on many phones and laptops that allow you to log in using a fingerprint scan. How secure is that for you and me? This article highlights an interesting situation. It seems a man whose fingertip was cut off in an accident, wound up saving that fingertip in alcohol and was able to register the print on his phone. While it hasn’t been rigorously verified, this isn’t supposed to work. It calls to mind the movie tropes where a dead person’s hand is used to get past biometrics.  According to the article, while consumer-grade detection can be fooled, there are solutions for situations where you want to assure the biometrics are from a living person.

I wanted to try some biometrics. I used to have a Dell laptop that had a fingerprint reader. I loved the convenience of swiping a finger to log in. My new laptop doesn’t have that. Back to a password. Microsoft has been touting Hello Face and supposedly millions of people are using it. I tried setting it up and got this message.  It turns out you need a camera that is capable of doing a 3D scan. The built-in camera is not capable so I would need to spend $200 for one that is. Not convenient. I’ll stick with passwords for now.

What will it take to move beyond passwords? A reliable, secure, easy to use solution will be mandatory. It will need to account for the mistakes users make and will need to have some mechanism for verification that can’t be circumvented. In addition, a more recent article about moving beyond passwords offered some other pre-requisites:

 As organizations begin to spin up consumer-facing passwordless systems, it’s important to ensure they work with all major web browsers and across all major platforms, cloud services, and operating systems. It’s also essential to offer different ways to authenticate, including non-biometric methods such as a PIN that’s stored in a device’s TPM. For some, this can help alleviate privacy concerns.

The skeptic in me says that this will take a long time (internet time) before it can be accomplished. In the meantime, get a password manager.