Juha Saarinen: Password hell enough to drive you crackers


Thursday is annual World Password Day that will be celebrated by the collective groaning of hundreds of millions of computer users who just want to log in and not worry about difficult to remember passphrases.

Because that’s what you have to use, a phrase and not a secret word. Use a word and the one who shall pass is the hacker with a custom-built brute-force credentials cracking computer with graphics card clusters that can issue hundreds of millions of guesses per second in parallel.

Passphrases are a good example of how taking something that worked fine for secret societies and applying it to computing has created an unwieldy nightmare for us.

Every year my inbox is carpet bombed with media releases from security vendors and government organisations about why I should use long complex passphrases with upper and lowercase letters, mixed with $^@%@ characters, a sprinkle of numbers and then spaces for extra aesthetic.

Said vendors and organisations then derisively point fingers at people who use “1password!” or “123password” instead, across multiple sites. They know this happens because of the ever-increasing number of data breaches that have leaked billions of user login credentials on the internet recently.

The problem with hard-to-guess passphrases like S,ws HAPj}JR V2′])P is of course that remembering one such login credential is difficult enough, but then you have to have different complicated ones for each and every site, device and service you use.

It really has to be different too, as your email address which is your user name (yes, that’s another bad idea that doesn’t work well on the internet) is also in the above mentioned data leaks. If the cracker-lacking hackers discover that you’ve re-used passwords for the same email address, it won’t take long until your digital life and the real one too is a smouldering wreck.

Systems administrators sometimes enforce regular passphrase changes, other times there’s a hack attack with passphrases resets for everyone.

In one such case recently I heard of, the admins at an organisation generated new passphrases for their users. To make sure that users would receive them, the new passphrases were sent via text messages.

Security minded users who hadn’t changed their numbers and got the texts naturally enough deleted the cryptic messages as spam. Since they couldn’t log in as the passphrases had changed, people couldn’t read the warning emails about the whole painful exercise.

User authentication with passphrases is quite a mess in other words. The finest minds in computing and cryptography have tried to untangle it but none of the alternatives so far is good enough to fully replace passphrases for most users.

Take biometric authentication with scanners recognising unique features on various body parts. It is super convenient and fast.

For example, Apple’s fast and accurate FaceID bounces infrared signals off your visage, and can handle hats and sunnies.

Beards grown or shaved off can be problematic though, ditto anti-Covid face masks, and force you to enter a passphrase on the device. Or, you can use an Apple Watch now to unlock your phone if you wear a mask or a full-face motorcycle helmet, but a device passphrase is needed the first time.

Microsoft’s Hello for Windows can scan your face in a similar way. If it doesn’t work, you tap in a personal identification number or if you forget that, the passphrase for your user account that’s long and complicated.

Cool kids use hardware solutions like Yubikeys that sit connected in a USB port and issue one-time passphrases like cccccckliucrfjdnguhuchbgftgnkdrclkiudbdgnkkv if you tap them. Some Yubikeys now work with near field communications (NFC) tech as well and don’t have to be plugged in.

Very secure and convenient, but you need at least two stored in different locations in case one is lost because getting back access to a hardware key secured account is hard and slow, if it’s possible at all.

So you end up using passphrases as a backup. When you do, password (or phrase) managers are invaluable. Those programs mean you can create and not have to remember different uncrackable 128-character passphrases for the hundreds of sites you sign into.

Then you discover the flaw in your grand plan as you agonisingly slowly transcribe the 128 characters from your laptop screen to a mobile phone which doesn’t have a version of the passphrase manager you use.

Don’t get me wrong: there are a number of workarounds for the above and different systems to use. Some of which are easy to use even.

And, if only one of them would work everywhere without passphrases or other add-on complications, I’d happily pay good money for it. Sadly it looks like I’ll be waiting until quantum entanglement authentication or something becomes the norm before that happens.

Source: Read Full Article