Why Passwords do not live up to Today's Needs

Good thing about passwords:

• they're portable as long as your brain storage functionality still works.
• they're dirt cheap. It costs nothing to change a password.

Bad things about passwords:

• they rely on human nature - and human nature has a hell lot of design flaws / features. Human nature is complex and easily compromised.
• they make life difficult

The above can be expanded to:

• people forget passwords
• people write passwords down and make them available to the public
• people choose the same password to protect different things
• people have very bad risk evaluation. They give out their passwords for chocolate and pens.
• people are willing to go around password and security policies to make life easier
• people simply love to use patterns, names and other easy to guess words. People don't have a /dev/urandom.
• people make use of publicly available information as their passwords
• people think that they have nothing to hide (goes with risk evaluation) and they have a false sense of security

Passwords are easily forgotten when they follow the usual recommendations - i.e. that they need to be long, random and not a word in the dictionary. Who's going to remember a password like "gh6j0kfoOPIja["? Well .. I wouldn't go as far as to say no one, but if you would, please drop me a ping, I'd love to get to know you.

The problem isn't just that - people are expected to make use of various passwords like the one above for different cases. That, coupled with changing those passwords every few days, is a huge headache.

The issue is not just the (little known) fact that all this is not sponsored by one of the pharmaceutical companies. No, the problem is that for security to be effective - it needs to be usable. And if it is not usable, then people who want to get work done, will bypass it. At the workplace, this usually boils down to employees circumventing these password policies and finding ways around them.

I can think of the following common bypasses:

• patterns. Password needs to be 10 characters? No problem! This month it will be 1234567890 while next month its 2345678901.
• password sharing. I tell you mine if you tell me yours; when I forget mine, hopefully you'll remember mine.
• postit notes. These are the all time yellow enemies of passwords. Do you trust a yellow paper stuck on your screen with your password? A lot of people seem to do.

Know more? Kindly leave a comment.

So the main problem with passwords appears to be related to sanity and human nature.

What should I do to avoid insanity?
Use pass phrases of course! Actually I should be thanking the author of "Perfect Passwords", Mark Burnett. The book is interesting, short, easy reading and to the point. My personal favorite tip is to make use of pass phrases instead of passwords. This increases the entropy (based on the length)

while keeping it easy to remember the secret. Even if you do forget the pass phrase, its always much safer to write down one or two hints somewhere safe, than writing down hints for an actual one word password.

By making use of unique passphrases, you will easily foil dictionary attacks simply because the attack is targeted against passwords not passphrases. Passphrases, unlike passwords are multiple dictionary words rather than just one. But what about guessing attacks involving multiple words - aimed specifically against passphrases? That's where methods such as substitution come in play. For example, a passphrase "the quick brown fox jumped over the lazy dog", could become "The kwik whiTe f0x jumpd over the lazY dog".

While this goes a long way to solve memorizing hard to guess secrets, this doesn't do enough to help remember multitudes of different passwords without falling into the trap of producing predictable patterns. It works very well for one or two passwords, but its easy to run into memory problems when you try to apply it to tens of passwords.

The solution for this lies in shifting some of the memory work to the machine. Computers, unlike people, are very good at remembering things and working with large sums of numbers.

I like to take these two approaches whenever I can:

• storing the passwords in an encrypted database
• computing hard to guess passwords on the fly

Both of these methods have their own uses and problems, which we will be looking into in the articles that shall follow.

One should not forget that password problems can be all together be avoided by making use of alternative means of authentication - such as smart card, biometrics or token based authentication. Just like anything else in security, the choice to go with one or another solution will greatly affect the overall security and usability - these are just tools not a panacea.