Password: Impossible


Aviram had a post on how he thinks password complexity rules are a bad thing. To a degree, I agree with the post - the more complex you make password requirements, the more likely your users are to try to find some way to subvert that requirement (like Aviram did - change your password a bunch of times so that you can go back to the original).

Unfortunately, however, passwords are a core part of application security. Until two-factor systems become convenient for the user and cost-effective for the provider, password complexity rules are a fact of life. Right now, if a user wants to use two factor authentication, they're left carrying (or hooking up a webcam to) several RSA tokens, carrying a card in their wallet, and ensuring their cellphone is always on. Now, I like the idea of using SMS as a two factor verification as the odds of me losing my phone and my wallet (which has all my passwords) at the same time is pretty slim.

So, how I really feel about password requirements is that I do like them. For the time being, if all sites used really low-threshold password requirements, it allows users to reuse passwords. So what if an attacker can't brute force their way into your bank account? Do you use that password on some other system? If that site doesn't enforce a lockout or a change policy, then how likely is it that the attacker is going to be able to find out that you use that other system? Do you use the same identity on multiple systems?

So what is a user to do? For the typical user, I honestly don't know. I use a password safe with about a hundred entries in it. That password safe is on an SD/USB device I keep in my wallet. It's encrypted using AES, and a really long passphrase. I'm down to a very small number of passwords that I actually remember and know anymore. But it's a major inconvenience for anybody who's using passwords all day every day on different systems. To really protect your passwords, your safe needs to have a long passphrase and a short lock timeout. And that doesn't mean that attackers can't get the passwords from the clipboard or submitted forms. For an ordinary user, the first response is probably "why bother?"

Keychain is getting close to the level of system integration that makes it easy for users to use. However, not everything on Mac uses Keychain. 1Password adds quite a bit of functionality to extend the ease of use. But that's still mac only. On Windows, there's KeePass, which has some nice system integration and some additional features (like TAN's) that make it really nice. And since it's open source, there are alternatives for Mac, Linux, and mobile devices.

But I still don't think that gets the reach to all users the way it needs. Remembering to back up my password safe is a pain - I need to back it up at a few locations in the event that I lose my device, and I won't put it on the web where it becomes available for anybody else to download and bang on forever until they unlock it. I would have to protect the download with a really strong password, but then where am I going to keep that password?

And regarding the 90 day change policy - that is a good thing. Once an account is compromised, it could be months before it's actually used because, particularly with financial accounts (credit cards, online bank accounts, etc.), they tend to be sold in lots on the open market. The person who compromised the account is highly unlikely to be the one to ultimately gain from the account compromise - it's just an asset to be sold to the highest bidder.