[Cryptography] Passwords: Perfect, except for being Flawed

Wed Feb 18 11:50:12 EST 2015

In responses I have seen so far, all the alternate proposals are complex 
and centralized. Some don't scale well or are walled-garden only. And 
all require that complex systems be implemented carefully and run 
competently. All require that lots of other stuff work right and lots of 
humans do their jobs well. Maybe Apple Pay can do it, maybe. I believe 
RSA once did a good job, but with changing ownership and management, 
they became incompetent and all their token seeds were stolen. And 
anything that claims to be "universal" (U2F) looks both over ambitious 
and a juicy target, and temporary. (USB? How many more years before this 
"universal" standard expires and legacy devices abandoned?)

Passwords, however, are simple. Yes, they depend on lots of people 
understanding what they are doing and being careful, but their design 
does not introduce immense complexity.

In our culture we have spent a lot of effort over the centuries trying 
to teach our kids not to take candy from a stranger. Times have changed, 
and we have fallen badly behind in dealing with new fraud opportunities 
offered by technology. As in ages past, humans are functioning in the 
thick of the system are still part of the security of that system, and 
therefore they still need to be taught to be savvy.

Though we can always engineer a more terrible system that encourages 
users to behave more stupidly, the badly designed system is not the only 
foe here, there are bad guys out there who are also trying to get users 
to do stupid things, and we will never engineer a solution to that. The 
human users have to participate in the system security and not behave 
like naive children.

Phishing is the big worry people trot out. But phishing is really just 
recognizing who is the stranger whom you should not trust. We are at 
really infantile level here: don't take candy from a stranger! Do we 
really think a better fob system is going to fix that? God, what a ripe 
time to be a crook.

Technological solutions alone are certainly going to make some folks a 
lot of money: over and over again, because it isn't going to work the 
first time, nor the next time...and repeat. As long as users who are 
part of the system keep behaving stupidly, we are going to be doomed. 
Yes, as long as we build terrible systems we are also doomed; I know 
users and systems will never be perfect, but each has to at least try, 
try a little! Saying users will be stupid and moving on is like saying 
our 3-year-old drivers don't know they should drive on the proper side 
of the road--hell these baby drivers don't really understand the 
steering wheel--so build better airbags!*

* Driverless cars, I hear you say. Fine. Steal my metaphor. Except we 
don't expect a lot of people trying to sabotage our driverless cars. 
Instead we have active and clever foes here.

My realization is that we blame passwords for things that have nothing 
to do with passwords' faults, and we propose solutions that require far 
bigger systems be built, and run flawlessly--and won't fix things.

Passwords themselves have some really nice properties. Indeed, they only 
work for responsible and disciplined adults (which in computer security 
terms, circa 2015, are vanishingly few), but the alternatives are not 
only wildly more complex, they will also keep blowing up in our faces if 
we think we can engineer around infantile users given both power and 
autonomy.

Vast numbers of our population know amazing amounts of minutia about 
their favorite spectator sports, but we think we can run a computerized 
world with them knowing nothing about how to spot phishing scams. 
Instead we are going to engineer our way out of it. Sure.

What can engineers do about it? Quit saying we mustn't write down our 
passwords. Quit making us change our passwords on a 90-day schedule. And 
quit overselling engineered solutions.

-kb