💾 Archived View for tilde.team › ~aprilnightk › gemlog › 2022 › 06 › 12-passwords.gmi captured on 2022-07-16 at 14:34:42. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
DISCLAIMER: I'm not an information security professional. I'm just an information security amateur. Following is just my opinion.
I randomly stumbled upon some article disussing the possibility of the "passwordless future" and the obstacles that lie before it. Something about it made me a bit itchy, so I decided to think further about it and also discuss the issue with my friend.
What I'm more interested in is not "how to make passwordless future come sooner", but rather "why do we need a passwordless future" and "what's the problem with passwords in the first place"?
I mean, I might be wrong of course, but I seriously don't get it.
In the end of this post, I will provide my own method of generating passwords and writing them down. It's simple and effective.
So, what did we need the passwords for in the first place? Basically, to prove a right to access something, and to prove that we are the ones who have this right to access something.
Authorization is a process of checking whether an entity is _entitled_ to have access to something. You log in as Alice, so you can have access to Alice's data. You login as Eve - server denies you access to Alice's data.
But what if it's actually Eve who's trying to pass as Alice? This is where authentication comes into play. To provide Alice's information to Alice, we first need to make sure that who claims to be Alice is Alice indeed. Don't trust Eve, she's mischievous.
To recap:
The most basic idea is that in order to authenticate (and this is a golden principle), Alice must DO SOMETHING that nobody else can do without her permission in the same conditions. This is probably as abstract as it can get.
If Alice, in the process of authentication, does something that Eve could potentially do as well, that's insecure.
If Alice uses her birthday as a password, Eve could potentially figure that out, and since she knows when Alice was born, she can use it too to pass as Alice.
So, essencially, the problem is to provide the best framework for Alice to DO SOMETHING that nobody else can absolutely do. Password is, perhaps, the most obvious and (still) most widely used such framework.
So, what are the most popular objections against using passwords?
Problem #1: Good passwords are lengthy and complex and hard to memorize.
Problem #2: Good passwords are lengthy and complex and hard to input in a field, it gets especially tiring when you have to do it a lot.
1 and 2, logically, result into several security weaknesses:
Problem #3: People tend to disregard the password length/complexity guidelines, and use "ilovebradpitt" as their passwords.
Problem #4: People tend to reuse passwords, because remembering many password is a nuisance, so they use "ilovebradpitt" as their passwords for all their accounts. (No one has a slightest idea that Alice loves Brad Pitt! This password is so secure!)
Problem #5: As a result of 1, people tend to write down their passwords. In the best case, in some secure place. In the worst case, on a post-it note, or as a password hint (I saw that happen).
There are also another technical problem:
Problem #6: Servers are not necessarily storing the passwords securely enough. Some may store them as plaintext. Consequently, passwords may sometimes leak.
For an authentication framework to be viable, there must be some X, the basis for Alice to do something that nobody else can do without her permission.
This X can be one of the following:
I will admit that how the fifth one can be used is a mystery to me when it comes to IT, so I'll concentrate on the rest.
Something Alice knows can be a password. This principle is most easily implemented as a password.
So, logically, the alternatives to passwords tend to be based on the other principles.
But before we go on, let's go over this: what _should_ an actually good authentication framework look like?
Don't forget, we're talking about _passwordless_future_ here, at large. In a global sense. So, the most obvious thing is that this framework must be universal.
It must also be accessible to all people, as a direct consequence that it is universal.
With multi-factor authentication, we add something Alice has/is/does as an addition to something she knows. You know the drill, you still use a password but _also_ you add something else to the mix: your smartphone (something you have) is the most obvious example.
Why I'm not happy with it?
MFA isn't bad per se, but it technically still is based on passwords, just with an added layer of security. And this added layer of security fails the test of accessibility.
Not everyone has a smartphone. In general, it's very difficult to come up with something that EVERYONE in our world has, without exceptions. And that's what you need if you want your system to be really globally accessible.
I insist, and that's probably one of my most important points here: everyone can come up with a password, but not everyone has a smartphone, not everyone wants to have a smartphone, and God forbid you to force people to have a smartphone. That's the digital dystopia which is perfectly possible, and we should resist it for as long as we can. Smartphones are not universal and should never be.
At some point someone said: wait, but there is actually something that we all _have_: it's what we _are_! This is how the notion of biometric authentication came about. We have fingerprints and irises, and they're reasonably unique.
Why I'm not happy with it?
You see, not everyone is ready to provide their bodily information in order to authenticate. For whatever reasons. Therefore, this system cannot be universal and is not a viable replacement for passwords.
Let's go into further "whys" though. You see, you cannot and should not force people to use their bodies as an authentication means, because dystopia.
What I mean is that there already are databases of biometric data in banks and corporations. Doesn't that disturb you?
If you're not that ideological, though, here are other problems. Checking of whether the password is correct is pretty simple. Hash it and check if it matches, or something like that. With fingerprints and irises... It's a whole different story. False positives, false negatives - they are a thing, and I don't understand how a system based on a _probability_, however large, that you will correctly authenticate can become a universally accepted framework.
This checking complexity leads to the uncomfortable fact that biometric authentication has been fooled not once. Unlike passwords, out biometric data is _not_ something that no one else can forge. My iris, my fingerprint, my face - they are visible for all. You can photograph me, and there's a chance that this will be enough to fool the system. I don't buy the "algorithms will get better" argument here. You don't trust servers to securely store passwords, but you want me to believe that the evermore complex system of biometric identification will become foolproof? You want me to trust my biometric data will never leak?
And yes, I'm concerned about it, because unlike passwords, my biometric data cannot be changed (easily). When my password leaks, I just change my password - end of story. I can't change my fingerprints.
So, yes, I know that FIDO Alliance is all about storing your biometric data on your device and not any server, but that's just one problem among many of problems the biometric systems have.
It could be an alternative for people who will agree to use it. But it cannot and should not be the replacement for passwords. Same for MFA.
The whole point of this article is the notion that as a universal means of authentication we must use the lowest common denominator - something that only Alice knows, something she can always come up with, something she can control, something she can change, or give to someone in an emergency and then change ("Bob, I need you to login for me, real quick! Take my FINGERPRINTS!")
I'm talking about the password. I believe the passwords are here to stay, because no alternative is good enough to replace them in a gracious manner.
I know passwords are uncomfy. But comfort and security are most of the times inversely proportional.
When someone proposes you a system of authentication that makes it _easier_ for you to authenticate, you should ask: at what cost? At the cost of forgoing my data, my control, or, in the case of biometrics, my_self_?
We should learn to love the password, not to hate it. We may use the augmented versions of it (MFA), or we may (and should, by the way) use the enhanced versions of it (public-key cryptography is, essencially, a very long password with a twist) - but we still should and will use it, so we better:
People hate the password safety guidelines, the capital letters/numbers/symbols/Egyptian hyeroglyphs you need to put in to make your passwords secure, but they're the way to go. Create good passwords. If you can, use public and private keys. Ideally, systems should provide both, but they shouldn't forget the lowest common demonimator: a person who doesn't know and can't seem to understand how to use the SSH keys, but still needs to access the service.
Passwords (and variations of it) are the closest you can get to actually having control of your secret data. Learn to use them wisely, and you're good to go. Make the passwords an important part of your life. Aren't you really careful and considerate with your money, or, say, house keys? Elevate your passwords to the same level of importance in life.
If you hate long passwords, use password managers (though I don't use them and advice to not use them). If you're fine with long passwords, then you're good to go.
Have a bad memory? Be creative. I have a really hard time memorizing my passwords, so I write them down using my own, fairly convoluted secret system. You can create a whole new alphabet to write your passwords in it. Or, you could write them down in a mangled form. Be creative, come up with a way to outplay someone who might steal your password book. It's a nice game to play.
When you have control over your secret data, it gives you power. Think twice before you trust new shiny ideas that would take the control and power from you when they really gain traction.
So you have a lot of accounts, and you don't want to reuse passwords, and creating new passwords is a headache, and you realy don't want to memorize them all. What to do? Following is just a suggestion, not a panacea.
Do you have a favorite number? Let's say that, for some reason, you really like number 6820 (you can't deny this one _is_ lovely). If you have a number, you can reverse it, too, to get 0286. Also, you could cut the first digit, ending up with 820. Or cut two digits, ending up with 20.
These variations of your favorite number can be easily uncoded:
6 = 6820
8 = 820
2 = 20
0 = 0286
While writing down your passwords that make use of your favorite number, just use a shorthand. Whoever sees "6sunnyday0" in your password book will have a really hard time figuring out that it actually stands for "6820sunnyday0286".
You can encode words, too. Come up with your own little dictionary of easily memorizable words. You could have:
s = sunny day
r = rainy night
b = beautiful morning
q = quiet evening
Does it make sense? With this, your "6820sunnyday0286" collapses into just "6s0". Have fun figuring _this_ our, hacka.
You can have all kinds of variations here. You could also have several favorite numbers and a longer dictionary. Just make sure that all of your encodings are reversible. Storing a dictionary of funny phrases in your memory is much easier than storing passwords in your memory one by one. So, whenever a particularily nasty website asks for a password with a Capital letter, a number, and a symbol, just feed this to the site:
"0286Rainynight!820"
and write down this in your password book:
"0R!8"
It's even better if you use Korean alphabet, Chinese numbers, or your own writing system.
Security by obscurity, you say? Well, not exactly. The _actual_ secret information is not written down. It's in your memory. What you write down is merely a kind of password hints, from which you can restore passwords in a breeze.
This system never has betrayed me and, I'm pretty sure, never will.