I was talking with Kelly today about passwords, and how they are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won’t lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think ‘e4!Xy59NoI2’) Together, these two requirements far exceed the capability of most human beings.
The real solution is to back up passwords with something else, so that they don’t need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn’t impossible to foil, but it is substantially more difficult in relation to the additional cost.
In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.
Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:
- Someone could guess it (either manually or with a brute force attack)
- Someone could watch you type it in
- Someone could install a hardware or software keystroke logger on a machine where you enter it
- Someone could break into a database that contains it, then try using it on other sites you use
- Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)
Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that’s a discussion for another day).
At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.
Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.