[Cryptography] Cost of remembering a password
Michael Kjörling
michael at kjorling.se
Sat Aug 16 07:38:49 EDT 2014
On 15 Aug 2014 20:18 -0400, from phill at hallambaker.com (Phillip Hallam-Baker):
> So what would be an appropriate price in an application or Web site
> design for requiring the user to remember a password? I am thinking at
> least $25 and double that if the user has to append '1', '!' or '1!'
> to pass the lame strength' tests people still insist on.
Why should there have to be a marginal cost for remembering 'another'
password in the first place?
Off the top of my head, there are four or five passwords (which serve
as anything much more than signposts) that I actually _remember_. Two
are system login passwords where resorting to a password manager is
not practical; one is the passphrase to unlock the password manager's
database.
It's nigh impossible to come up with passwords of high enough entropy
to withstand an offline attack, _especially_ within the limitations
sometimes enforced (maximum length, allowed character set, ...). And
that doesn't even touch on trying to remember any significant number
of such passwords. XKCD style (done right), Diceware and so on can
help generate quite secure passphrases, but you still have to remember
not just that one (or many) passphrase(s), but also _where to use each
one_.
Given how many people end up with passwords like "password1",
"12345678" and so on, I think it isn't as much _passwords_ that need
to be dealt with as password manager integration. All major web
browsers for example have the ability to locally store passwords used
(whether or not it's secure is a different matter and also depends a
lot on the user's chosen master password/passphrase), but what is
lacking is a _user friendly_, fully integrated, enabled by default
means to automatically generate and store secure passwords, and with
today's proliferation of different types of devices share passwords
between e.g. a desktop computer, a smartphone and a tablet.
Then, ideally, when I view a sign-up form that asks for a password,
the password field would have some sort of visible indication next to
it that allows me to automatically generate and store a secure
password for that particular web site. If there is no obvious
connection between the sign-up and login forms, in the login form I'd
be able to pick something along the lines of "for this site
(login.example.com), use the credentials previously used on
signup.example.com", perhaps offering by default the FQDNs for which
there are stored passwords which fall under the same second-level
domain (with handling of those top-level domains which use an
intermediate label to separate types of sites, as is the case for e.g.
.uk, .nz, and a handful of others).
A login form that currently looks like (Unicode and monospace font
needed for these mockups to look reasonable):
Username: [my-username ]
Password: [••••••••••••••• ]
[ ✔ Sign in ]
could thus look a bit like the following, with the menu expanded:
Username: [my-username ]
Password: [••••••••••••••• ][⚙]
[ ✔ Sign in ] ⬉
| Use the password from signup.example.com |
| Use the password from www.example.com |
|------------------------------------------|
| Select among stored passwords... |
| Generate a new password... |
| Forget password on login.example.com... |
`------------------------------------------'
If that could be solved in a way that makes it easy to use even for
novices, and perhaps even allowing integration with an external
password manager for advanced users, I think we would already be _far_
along the way toward at least encouraging people to use _different_
passwords everywhere. And that, in itself, besides not requiring a
total revamp of lots of sites' authentication logic, would be a huge
win in practice.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the cryptography
mailing list