The uselessness of passwords (part 1)

in #crypto7 years ago

My password is ...

How many times per day does a computer ask you for your password?
Are you the kind of person to use dumb password ?
No ?
So, do you write your password on a Post-It ?
Do you use a base password that's evolving based on the website you're visiting ?
Do you use a password manager application ?

How come it's so hard to deal with all passwords in 2017?

If you visit many websites, have many accounts, chance are high that each site has its own password rules. Typically some websites ask you to have Uppercase + symbol characters in your password, some requires the password to be that length.
You know you should not reuse any password but remembering a strange password is hard. Remembering 10 strange passwords is (virtually) impossible.
One can use a password manager, but then, when you change device or if you loose your phone, you're naked without the manager.

The list of issues with password is too long to write... or is it ?

Issues with passwords:

  1. Passwords are hard to remember for a human but easy to guess for a machine.
    => This leads to dumb passwords being used.

  2. Each password requester has its own rules that might be written when creating the password initially, but never when entering it.
    => This leads to abuse of the "Forget password" button, then likely a mail transiting (usually in clear on the internet) with a URL that has god power on your account

  3. Some passwords have limited time validity that you must change every insert period here.
    => This leads to incremental passwords that are obviously weaker

  4. Password reuse. Who didn't say once, this account is of no importance, let's reuse my whatever dumb password?
    => This leads to impossibility to track where some password is used or from where it leaked

  5. Password sharing with other people for convenience. Have you changed all your password you've shared with your ex ?
    => Delegating your password is like having no password anymore

  6. Password are not credentials. They are usually linked with an identifier (on some website, it's not always your email). Thus even if you remember the password but forget your identifier, you still be denied access.
    => This adds even more complexity to the authentication problem

  7. Too short/Too long cookies. If you click on "Remember me" checkbox, you'll get a cookie in your browser, and the system will not ask for the password for too long, but not endlessly. When the time is up, you'll have to enter again your obviously forgotten password. If the cookie is too short, you'll remember the password because you'll have to enter it often, but it's a real pain to use such scheme.
    => Convenience decreases security in that case

  8. Authentication delegation, such as Google+, OpenID and all other means having a single point of failure. If a hacker is granted access to your Gmail's account, it's game over.
    => This concentrate all security in a single layer, which is bad

  9. Death. All your data will be gone when no one else can access them and you don't/can't care anymore.
    => Password is a secret except when it should not be anymore

  10. Password managers. Unless you're a very good system administrator, chances are high you're storing the manager's database on one device (backed up or not on some cloud service). Loosing/Breaking the device means loosing all your accounts. Even if you have a backup on a cloud, you used a hard-to-remember password for the cloud service, haven't you? Is that password stored in the manager ?
    => Delegating password memory to some tools means being dependent of the tools

  11. Dual authentication scheme (something you know and something you have). You must provide a password and also have some "smart" device to authenticate. This sounds good because you never expect to loose both at the same time. However, if you loose any of them, you're out of luck.
    => Multiplying the number of secrets multiplies the risks of failure

  12. Password database. Some website stores password as plaintext (yes that still exists) or hashed without a salt (dictionary attack).
    => When they'll be hacked, passwords will leak on darknet.

Wait... What's the solution then ?

In the next part, I'll present some ideas to solve the above issues.
Meantime, if there are issues I've missed, please list them in the comments section below.

Sort:  

Congratulations @xryl669! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published your First Post
You got a First Vote
You made your First Vote

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!