Home' Technology Review : March 2005 Contents 78
TECHNOLOGY REVIEW march 2005
Today’s password schemes
are unworkable and o�er
little security for users.
BY MICHAEL SCHRAGE
PokeKey1...ou81 2$...twasbri11ig!. All were favorite pass -
words of mine long ago. The �rst is the name of the puppy
I brie�y had as a child. The second was shamelessly lifted
from a Van Halen album cover. The third, you’ll recall, opens
Jabberwocky. I must have typed each one hundreds of times.
Looking back, I feel like an idiot for believing my wittily “un -
guessable” passwords enhanced my security in any meaningful
way. Password protection is per vasive, annoying, inconvenient,
and does little to deter anyone intent on doing harm. But you
can’t gain legitimate access to many ser vices without it.
Yahoo Mail registration, for example, has come a long way
from being an open invitation to spammers and spoofers. Who
would argue that its automated “ID/password” reminders are
not a boon for the lazy and aphasic among us? But Yahoo’s relent -
less reliance on password protection is a security patch that feels
more like a challenge to evildoers than a serious deterrent. And
Yahoo Mail is among the better ones in a pretty bad lot.
Today’s password authentication schemes are little more than
security placebos. They per versely inspire abuse, misuse, and
criminal mischief by deliberately making users the weakest link
in the security chain. Greater teleprocessing power has made
stealing or cracking password sequences ever faster, better, and
cheaper. Security guru Mark Seiden observes that many hack at -
tacks have nothing to do with how “strong” a target password is,
because these attacks rely on brute-force discovery of alphanu -
meric sequences. “The bad guys are really attacking your key -
board,” he says. That security system administrators make users
jump repeatedly through digital hoops to defend the “integrity”
of our four- to 12-character sequences falls somewhere between
insult and joke.
If a company wanted to design a security system that made a
mockery of everything we know about human behavior, cogni -
tive psychology, and cryptographic analysis, it would come up
with our contemporary bit-based babel of passwords. As authen -
tication expert Richard E. Smith has obser ved, the logical con -
clusion of most “strong password” policies—don’t use names of
family member or pets; don’t use birthdays or calendar dates;
use randomized sequences of special characters; don’t use your
password for more than one or two sites; change your passwords
several times a year; don’t put your password(s) in your PDA or
cell phone—is that passwords should be impossible to remember
and should never be written down.
Somehow, the world’s ATM banking systems have managed
to get by with a bare minimum of fraud for more than 20 years by
relying upon only four-digit codes. So what do the banking geeks
grasp about password management?
The obvious answer: the stronger and more complex the pass -
word scheme, the lazier and more technically incompetent the
security system administrator. As Smith demonstrates in a series
of keen analyses, the rise of plain-text “sni�er” technology com -
bined with computationally enhanced processing power makes
traditional password protection ever weaker and more fragile.
So why are we demanding that millions of people spend more
and more time and memory on a security procedure that yields
less and less protection? The world doesn’t need “better” or
“more secure” passwords; it needs to wean itself from passwords
and PINs as the medium of authentication. We’d be far more se -
cure with more layered approaches to authentication—“suspicion
engines” on the lookout for deviant behaviors—and more subtle
yet persistent ways of tracking and challenging online identities.
The global silliness of the password mentality was beautifully
highlighted in a survey conducted last year that found 70 percent
of those asked said they would reveal their computer passwords
for a bar of chocolate. Sweet. A third of those sur veyed volunteered
their passwords to interviewers without being o�ered a bribe. Yet
another survey discovered that fully 79 percent of people ques -
tioned on the streets of London revealed such desirable security-
sensitive data as mother’s maiden name and birth date. “We are
amazed at the level of ignorance from consumers on the need to
protect their online identity,” sni�ed a spokesman for RSA, the pi -
oneering encryption �rm that sponsored the research.
Actually, I’m amazed by the laziness of global enterprises that
make their users primarily responsible for the security and in -
tegrity of complex systems. If passwords are anywhere near as
important to online authentication, identity, and security a de -
cade hence as they are today, it will be the clearest possible signal
that the virtual world has become an even more dangerous and
volatile place for both transactions and interactions. ■
Michael Schrage is a researcher and consultant on innovations
economics and the author of Serious Play(2000).
Passwords that don’t protect
Under Review: Password selection for Yahoo! Mail, etc.
MICHAEL KUPPERMA N
Links Archive February 2005 April 2005 Navigation Previous Page Next Page