Time for a rant about passwords

How much mental anguish is the result of ignorant accounting grads working for Big 4s, struggling to find SOX-relevancy, totally oblivious to the huge amount of HCI research that has been done on the topics of passwords, so ignorant to the history of computer security that they don’t recognize they are demanding the use of pre-network, pre-malware controls that were developed by mathematicians who were completely ignoring human factors.  Password aging policies ensure the inevitability of a huge volume of unmemorizable passwords.  I can’t tell you how secure electronic password wallets are, but I promise you that forbidding their use virtually ensures that Post-Its will be used instead.

There is no area of computer security in which both the technical and human computer interface (HCI) issues have been as thoroughly addressed as in the topic of password-based authentication, so why does the care and feeding of passwords continue to be a huge area of controversy?  If passwords represented an area of security concern back in the day when we had so few that we could actually hope to remember them, how much more concern are they in this era or proliferating corporate and Internet systems? 

Password-based authentication is the original computer science security mechanism, dating back 5 decades.  The methodical approach to protecting passwords from misuse dates to a Cold War infosec artifact produced by the US Federal Government during the 80s and 90s. Colloquially referred to as The Rainbow Series, because of the colorful book covers, anyone seriously involved in digital security owes it to themselves to spend some time exploring it.  Or at least with the more prominent books, which tend to have recognizable colors (as the program went on, both the topics and book cover colors became more obscure).

April 1985 saw release of the second in the series, The Green Book, also known as CSC-STD-002-85, or DoD Password Management Guideline.  This 8,800 word document attempts to not only answer the question ‘how long should a password be,’ but it also addresses complexity issues and aging.  Published several years after the movie War Games, the guidelines are based on the assumption that the threat consists of password guessing attempts through directly-connected terminals, and presumably, modems.   In a pre-Internet world, it might be ungenerous to accuse the authors of ignoring human factors, but by that time, security inspectors had learned to begin their audit by looking under the keyboard.

The Green Book is filled with relics of a time when relatively few people knew what email was, let alone had an account, long before Tucows had supplanted Simtel20.arpa:  “During transmission of a password from a user’s terminal to the computer in which the authentication is done, passwords should be protected in a manner that is consistent with the damage that could be caused by their compromise. Since passwords are no more sensitive than the data they provide access to, there is generally no reason to protect them, during transmission, to any greater degree (e.g.,encryption) than regular data is protected.”  Within a few years, Arpanet would be gone, and hostile sniffers would be routinely slurping unencrypted passwords during transmission.

By August 2000, 15 years after publication of the Green Book, UBS customers would be threatened by a virusthat apparently tried to capture their PINs from their home PCs.  While this attack was not successful, it was only a short matter of time before effective password sniffing malware became routine.  It would be difficult to say whether more damage is caused by password guessing, or password slurping, but as the momentum has been shifting towards the latter for 20 years, the relative benefit of password complexity and aging has been decreasing.  Meanwhile, the negative side of forcing users 2-4 times a year to come up with a new password that cannot be immediately memorized, Post-It attacks, remains a constant source of successful attack.

If the cure of password management is not already worse than the disease of account compromise, then it will be within a few years.  Suggestions that password aging is largely a waste of time, and that password complexity requirements are unknowingly based on an obsolete and impractical standard is usually met with a chorus of boos from people who didn’t realize that Johnny can’t encrypt (never before have so few people benefited from so much research into human factors).  Passwords are a necessary evil, and although a great deal could be done to reduce our reliance on them, they are a digital reality for the foreseeable future.  Just don’t make the mistake of assuming that they are dramatically improved by inserting some bangs, splats whacks and twaddles.