-
Notifications
You must be signed in to change notification settings - Fork 0
The Password Problem
Passwords are the most commonly used method of authentication. Until the pain caused by the fragility of using passwords exceeds the pain of replacing them with better systems, this will not change. While there are many issues with the way passwords are used today, the most serious are social, not technical problems:
- Many people select weak passwords.
- Many people reuse those weak passwords in different security contexts.
- Many system administrators, designers, and application programmers are unaware of or simply choose not to follow known best practices for protecting passwords.
The combination of these factors exposes the security of the systems protected by passwords to catastrophic failures.
Alice chooses a weak password ("monkey10") to authenticate her access to The Primate Forum. To her, the consequences of someone impersonating her are low -- she really doesn't care if someone makes a monkey out of her. In fact she also uses this same password for Twitter and Facebook.
Bob (a.k.a. Dr. Do Much), however, takes The Primate Forum very seriously. His professional reputation could suffer if someone impersonated him. So he chooses a very hard to guess password "you#can!t@make1MONKeyOFme:TPF". To construct this password he followed all of the [advice of the password experts](Selecting a Good Password). He even changes it slightly for each site he visits. His Bank of America password, for example, is "you#can!t@make1MONKeyOFme:BofA". These passwords are for the sites that he considers high-value.
Unfortunately, [Ishmael](https://en.wikipedia.org/wiki/Ishmael_(novel%29), the administrator of The Primate Forum is more skilled in philosophy than in cryptography. He doesn't know that you should never store plaintext passwords on a server. He also doesn't know you should rate-limit failed login attempts. He can't understand why humans treat each other so poorly, especially since they consider themselves the "superior species".
Eve randomly tries a few passwords on the Primate Forum, and after only eleven attempts, breaks into Alice's account. She soon learns Alice's Facebook and Twitter usernames, and spends the next few hours monkeying with Alice's friends.
When she gets bored with that she jumps on IRC and finds a nice exploit for the software that Ishmael is using on the forum, and soon has the password list. She is delighted to discover that it is only base64 encoded instead of salted and hashed. She is about to share the list with her friends on IRC when she spots Bob's password and realizes that he takes his monkey business seriously. She snips Bob out for herself and posts the rest of the list.
After a bit of poking around, she is reading email sent to drdomuch@yahoo.com ("Y!:you#can!t@make1MONKeyOFme") and discovers that he is a Bank of America customer. BofA accepts the easily guessed password, but requires two-factor authentication because Eve's browser doesn't have the special cookie. No problem: send the verification code to my Yahoo email. Done. Now, what should she do with all of that money? Open an account on mtGox and buy some BitCoin. How else would Dr. Do Much get money to the primate rights activists in Africa?
Eve still could have hacked The Primate Forum without Alice's easy password, but if Ishmael had stored hashed passwords, Eve would have needed to use a dictionary attack to find monkey10, and she wouldn't have learned Bob's password before the heat death of the universe. If Bob had been using a password manager and unique random passwords for each site, instead of an ad hoc padding trick, Eve would never have gotten into his bank account even though Ishmael didn't know the difference between SHA-1 and Base64.
So we end with a perfect storm, and a perfect failure of the security system. While attempting technical solutions to social problems is frustrating at best, we can educate users about [best practices](Best Practices) and design user interfaces to support users in following them.