[Cryptography] Passwords: Perfect, except for being Flawed
Kent Borg
kentborg at borg.org
Wed Feb 18 11:50:12 EST 2015
In responses I have seen so far, all the alternate proposals are complex
and centralized. Some don't scale well or are walled-garden only. And
all require that complex systems be implemented carefully and run
competently. All require that lots of other stuff work right and lots of
humans do their jobs well. Maybe Apple Pay can do it, maybe. I believe
RSA once did a good job, but with changing ownership and management,
they became incompetent and all their token seeds were stolen. And
anything that claims to be "universal" (U2F) looks both over ambitious
and a juicy target, and temporary. (USB? How many more years before this
"universal" standard expires and legacy devices abandoned?)
Passwords, however, are simple. Yes, they depend on lots of people
understanding what they are doing and being careful, but their design
does not introduce immense complexity.
In our culture we have spent a lot of effort over the centuries trying
to teach our kids not to take candy from a stranger. Times have changed,
and we have fallen badly behind in dealing with new fraud opportunities
offered by technology. As in ages past, humans are functioning in the
thick of the system are still part of the security of that system, and
therefore they still need to be taught to be savvy.
Though we can always engineer a more terrible system that encourages
users to behave more stupidly, the badly designed system is not the only
foe here, there are bad guys out there who are also trying to get users
to do stupid things, and we will never engineer a solution to that. The
human users have to participate in the system security and not behave
like naive children.
Phishing is the big worry people trot out. But phishing is really just
recognizing who is the stranger whom you should not trust. We are at
really infantile level here: don't take candy from a stranger! Do we
really think a better fob system is going to fix that? God, what a ripe
time to be a crook.
Technological solutions alone are certainly going to make some folks a
lot of money: over and over again, because it isn't going to work the
first time, nor the next time...and repeat. As long as users who are
part of the system keep behaving stupidly, we are going to be doomed.
Yes, as long as we build terrible systems we are also doomed; I know
users and systems will never be perfect, but each has to at least try,
try a little! Saying users will be stupid and moving on is like saying
our 3-year-old drivers don't know they should drive on the proper side
of the road--hell these baby drivers don't really understand the
steering wheel--so build better airbags!*
* Driverless cars, I hear you say. Fine. Steal my metaphor. Except we
don't expect a lot of people trying to sabotage our driverless cars.
Instead we have active and clever foes here.
My realization is that we blame passwords for things that have nothing
to do with passwords' faults, and we propose solutions that require far
bigger systems be built, and run flawlessly--and won't fix things.
Passwords themselves have some really nice properties. Indeed, they only
work for responsible and disciplined adults (which in computer security
terms, circa 2015, are vanishingly few), but the alternatives are not
only wildly more complex, they will also keep blowing up in our faces if
we think we can engineer around infantile users given both power and
autonomy.
Vast numbers of our population know amazing amounts of minutia about
their favorite spectator sports, but we think we can run a computerized
world with them knowing nothing about how to spot phishing scams.
Instead we are going to engineer our way out of it. Sure.
What can engineers do about it? Quit saying we mustn't write down our
passwords. Quit making us change our passwords on a 90-day schedule. And
quit overselling engineered solutions.
-kb
More information about the cryptography
mailing list