NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] The Fearless Password Killers, or Pardon Me, But Your Teeth Are in My Data


       The Fearless Password Killers, or Pardon Me, But Your Teeth Are in My Data

                       http://lauren.vortex.com/archive/001036.html


A few days ago -- in "Die Passwords! Die!" -- I suggested that the
venerable password, despite the addition of extremely useful
techniques such as multiple-factor authentication and other
extensions, is coming to the end of its usefulness in our 21st century
computing and communications environments, and I discussed some
possible evolutionary authentication regimes that seem likely to
ultimately replace passwords in many venues ( http://j.mp/12UcOaR [Lauren's Blog] ).

Most of the reaction was quite positive, but there definitely are
dissenters within my inbox as well, largely paraphrasing Mark Twain
from 1897, to the tune that "The report of the death of passwords is
an exaggeration."

This conveniently permits me to wring some additional mileage out the
implicit horror movie motif of "Die Passwords! Die" -- and I'm not
letting that opportunity pass by unrealized to its full potential.

We need only look to the stereotypical vampire film for inspiration.

Our heroes "the vampire killers" arrive in a small village.  Usually
there's a leader who has some sort of honorific prepending their name,
like Professor Abronsius, Captain Kronos, or Dr. Van Helsing.  The
remainder of the crew are usually essentially the flunkies who sharpen
the wooden stakes.

Despite the often horrific attacks visited on the townspeople at
intervals by the local vampire or vampires, the residents may simply
want the vampire hunting visitors to just go away, leave well enough
alone.  They've learned to live with the vampires -- deploy plenty of
garlic and an occasional sacrificed virgin -- and fear any "tampering"
will just make matters even worse.

To compare the "password protectors" with these terrified villagers is
tempting but not entirely fair, since there are indeed arguments to be
made in favor of preserving at least the outlines of our existing
password system, though I personally don't feel that those arguments
on balance win the day.

It's suggested that hardware-based systems could isolate
password-related data in a way rendering it at least theoretically
invulnerable to the sort of password hash file breaches that have now
become all too common.  But buying and installing new specialized
hardware like this seems like a non-starter for most environments,
both from cost and an array of logistical standpoints.

We're urged to find ways to get users to pick longer passwords and
more random passwords.  We're told we must convince them not to share
passwords in ways that would allow a failure at a weak site to
compromise authentication at a stronger unaffiliated site.  We're
reminded again about multiple-factor authentication, key management
tools, one-time password systems, and other purported silver bullets.

And indeed, all of these methodologies -- to one extent or another in
different sorts of consumer and enterprise environments -- can
definitely make a big difference toward improving authentication
security -- if designed properly, if implemented appropriately, if
deployed correctly, and if used responsibly and diligently by
consumers.  That's a whole bunch of "ifs" to deal with.

But it's still all ultimately a holding action.  You may be able to
momentarily stall your friendly neighborhood vampire by holding a
crucifix in front of their face, but you can't keep up that pose
indefinitely, and vampires can be remarkably patient in such
situations -- they usually have more time than you do.

I understand why many persons have concerns about "federated"
authentication systems, biometric or other personal identifiers, and
various combinations and permutations of these concepts.

And as I've acknowledged, doing these systems right -- in ways that
provide appropriate compartmentalization and granularity of access to
authentication credentials -- is an extremely complex task from both
policy and technical standpoints.  Yes, there are lots of "ifs" here
as well.

But there is a big difference with these non-password techniques, and
while I don't want to sound condescending about this, the truth is
that if we depend on most non-techie, busy users to voluntarily manage
their password environments correctly in the long-term, we are
actually doing them a grave disservice.

It's easy for techies (perhaps like you, certainly like me) to forget
that most users don't have the time nor inclination to be worrying
about authentication details -- until something goes wrong, and panic
sets in.  It's not the techies I'm worried about -- we'll manage one
way or another -- but it's the consumers who don't want to have to be
security experts just to access their mail or bank accounts.  The more
complicated the demands we make of them -- choose the right 
passwords -- use the correct key management tools -- do this -- don't 
do that -- the less likely that we're going to see good outcomes overall.

In the final analysis, this is why I feel that passwords have seen
their day, why we must be moving on and finding our way to better
solutions, albeit requiring a lot of deep thinking and hard work on
our parts.

You can try live with vampires, and you may manage it for awhile --
but in the long run it's going to be either them -- or you.

I strongly believe that we have the technological capabilities to
solve authentication problems in ways that will be better for
consumers and everyone else involved, without leaning on password
models that are increasingly problematic.

We know how to solve such problems, if we set our minds to it -- it's
very much part and parcel of what we do best.

In other words, it's -- wait for it -- in our blood.

--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad