Passwords are Not Obsolete

I’m not a security researcher, so I always feel a little silly writing or talking about it. I try to keep up-to-date on security protocols and encryption algorithms, at least at a high level. But I’m not a security guru: I don’t write exploits, I don’t reverse-engineer protocols and analyze the feasibility of their security, I don’t design whole cryptosystems like PKI. But I do understand all these things, and I’m confident that I could get into any of these activities if I wanted to spend a few years getting up to speed.

This morning, I was really happy to see someone post a link to a blog post entitled “Passwords are Obsolete.” I always get excited when I read titles like this. Since I’m not big in the security field, I don’t know everyone’s name – so I come into these articles assuming that the author knows what they are talking about. How naïve of me.

To be clear, I agree: passwords do suck. They’re not a solution to the problem they try to solve. Good passwords are notoriously difficult to remember. The best passwords would be indistinguishable from random data, but these would be extremely difficult to input into a computer. So instead, we are suggested to make them long since our random distribution repeats only about 94 numbers in the best case. In some cases, we’re limited to a set of 62 - 70 numbers.

And yes, I understand that the combinatorics of a 20 character password over a set of 94 numbers is insane to break right now. It’s just, I remember when using John the Ripper to brute force 6 character DES+salt passwords from a world-readable /etc/passwd took days. This won’t last.

And even if it did, brute forcing passwords is unnecessary. People are woefully cavalier with their passwords. I turn my head out of courtesy when friends and colleagues input passwords. But I’m dismayed when friends and family give me their passwords. I’m frustrated when the password of the lady named Amelia sitting next to me on the plane is “Amelia20!!” I’d like to assume that people keep different passwords for different services, but I’m friends with enough non-technical people to know that nobody actually does this.

What is the point of implementing a security system that nobody takes seriously? Passwords are still effective because the majority of the planet does not understand how they work. People implementing systems that store passwords are still storing password hashes instead of using bcrypt. People still recommend salted hashes instead of bcrypt – the target audience for this one likely doesn’t understand that it’s a problem that they are accepting the password over a plaintext protocol.

Hell, people implementing security systems are still oblivious to the idea that it is asinine that a third party is responsible for deriving authentication credentials from a plaintext I supplied them. SRP is a wonderful protocol, but its suggestion for host password storage infuriates me. From the SRP design document:

The host stores passwords using the following formula:
    x = H(s, p)               (s is chosen randomly)
    v = g^x                   (computes password verifier)

In this case, s is the salt, p is the password plaintext, and g is some generator – a large number chosen by the host. Why does the host ever need to see p? They only end up storing my username and the values s and v. That third parties ever need to see p at all is a big reason for security problems.

But I digress.

This “Passwords are Obsolete” article fails because it doesn’t actually propose a reasonable solution. The takeaway from the article is that we should be using email or SMS verification instead. This is insufficient because it proposes no security changes around authenticating to email or SMS services. Ostensibly, one would still use a password for them, otherwise you recurse. In the other case, the author is suggesting that physical safety is secure. I have to shake my head and disagree here, because the author is falling into the trap that people who choose insecure passwords is: he doesn’t understand the security of the system, so he assumes that it is secure.

GSM and CDMA are woefully broken. Device security is a joke. Every app I install needs access to basically everything on the phone. Device locks consist of patterns or 4 to 6 digit PINs on a screen that is pretty obviously oiled with fingerprints.

If email isn’t authenticated with a password, you get to design a new email protocol that nobody is going to use. So you’re still stuck with passwords.

So, no. Nobody is going to replace passwords with this.

If the author meant that we should be using one-time passwords, I agree. Except they’re only great as long as the generator is secret. Once that cat’s out of the bag, you’re in the same situation as we are now: everyone needs to change their generator to your new one. It’s nice because people get locked out until they upgrade. But what if Mallory is part of your upgrade process?

Security is a joke. Until we have an actual mathematical basis for identity approximation and until our developers understand how to properly implement secure systems, if you’re concerned about the safety and privacy of your data, the best place to keep it is in your head.