We use passwords all the time. Sometimes they're called "PINs" or "access codes" or "lock combinations" but they amount to the same thing, a sequence of symbols that must be provided in order to get access to something. Passwords have one big advantage: ease of use. But this comes with several disadvantages.
- People have to use passwords in many places--I have passwords on more than 100 web sites--and studies show that most people have a few passwords that they re-use across different sites. So an adversary who gets access to one password can potentially access many accounts.
- Passwords are subject to replay attacks: an adversary who sees your password once, perhaps by looking over your shoulder as you type it or eavesdropping on the network as your password goes by, can replay the password later. (More secure approaches use a cryptographic trick called a zero-knowledge proof, in which you can prove that you know a secret value but without revealing the secret to an eavesdropper.)
- People have a hard time picking good passwords. A good password is supposed to be easy for you to remember but very, very difficult for an adversary to guess. The best password is a truly random string, but those are too hard to remember, so we tend to build patterns into our passwords, which make them easier to guess. And brute force password-guessing gets easier every year because computers get faster.
- People tend to forget their passwords, and the resulting password-recovery or -reset procedures can be trouble-prone. (During the 2008 presidential campaign, Sarah Palin's email account was compromised via the password recovery mechanism.)
The drawbacks of passwords have been evident for a long time, and security experts have been looking for something better. There are plenty of more secure alternatives, but they have had trouble getting adopted, partly because passwords are familiar and easy to use, and partly because competing technologies have failed to get critical mass.
A recent study compared passwords against "two decades of proposals to replace text passwords," grading each system on twenty-five factors, and found that although many of the alternatives beat passwords on some factors, every one loses to passwords on other factors. In other words, there is no alternative out there that beats passwords hands down. The best system will depend on your circumstances.
Despite the lack (so far) of a great leap forward, we are seeing more modest innovations start to get traction. One example is two-factor authentication, which augments your password with another layer of checking. It is now supported by companies such as Google (which calls it 2-Step Verification) and Facebook (which calls it Login Approvals). These systems notice when you log in from a computer or device that you haven't used lately, and they respond by requiring you to enter a secret code you get from your mobile phone. The code comes either from a special app or from a text message that the company sends you. Other two-factor systems rely on a little fob that displays ever-changing numbers, or on biometrics such as a fingerprint. I recommend using two-factor authentication where it is available.
Last year the White House released its National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced "EN-stick"), which described what a better online authentication system would look like, and laid out a strategy for government to facilitate the creation by industry of such a system. Now NIST is working to execute that strategy. I'm hoping that industry, with appropriate encouragement from government, will step up and keep improving authentication practices.
Until that happens, we'll have to keep muddling through with passwords.
[Bonus password-related trivia question: Fill in the blank in this line from the Marx Brothers movie Horse Feathers, spoken by a character called Baravelli (played by Chico): "Hey, what's-a matter, you no understand English? You can't come in here unless you say _____. Now I'll give you one more guess." This one-word password has been used in many books and movies.]
Original comments for “The problem with passwords.”
May 31, 2012 at 12:53 am
As always xkcd has something relevant to add here:
The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.