07 Oct Post Password Era
Passwords are given an increasing number of caveats in order for them to be considered secure.
Commonly agreed upon password practices include the use of an expanded character sets (those outside the normal a-z 0-9 ranges – aka special characters). Which are non-dictionary words and over some arbitrary length. Coming up with a password which meets these requirements is a little time consuming, but easy enough.
However, these requirements become completely infeasible when you have to provide a unique password for each site. Or, you must accept that by using the same password for each site, all of your accounts may be compromised.
Ideally, you end up using a password along the lines of ‘#VCj!yU%mGk!#3Rf’ for every site.
However, ironically, these random configurations make you more insecure. Remembering one of these for each account you have isn’t possible, so you begin to write them down.
So we reach the current stage of internet security, where most people are recommending the use of password managers – like LastPass, 1Password, or KeePass.
If you aren’t using a password manager you probably should consider it. It does start off a bit of a struggle, but soon actually becomes easier than needing to remember, or continuously reset your passwords. They work by moving our memorable password-eggs from numerous (questionably secure) services, to a single password basket. Secured by a single (hopefully superduper) password along with some form of second factor. Now all the sites we visit have a unique bunch of gibberish as a password – which we don’t mind being leaked, as it won’t help the attacker get into our other accounts.
Although I’m currently a password manager advocate, this should hopefully only be a stopgap period of time as we transition to the next thing.
Fundamentally in cryptography, if you want to keep something locked away you need to use a secret. And that secret tends to be something you know (e.g. password), or something you have (e.g. fingerprint), or a combination of the two (two-factor authentication).
Although the password can never truly leave, it can hopefully become more convenient. Hopefully to the extent that you no longer need to remember the passwords or trust a third party.
Biometrics look promising: replace all our passwords with a fingerprint or an iris scan.
We don’t need to remember it and because the resolution has to be scanned, it makes for a very strong secret. They have one major flaw though: you only have one set of fingerprints your entire life. If someone doesn’t adequately protect them, or you’re of high enough value, they might leave your control. Then you’re stuck with no form of revoking that secret, or changing it (without some surgery).
Biometrics are still fuzzy so they can allow for false positives and negatives.
So the current thinking is to use a more heuristic approach, by combining a number of personal traits together to identify an individual. These can be things like the person’s voice signature, how they type on a keyboard, movement patterns (via GPS), facial recognition etc. These are interesting routes but I’m not overly won over yet by how secure they’ll be in practice. For example, if you’re running late for your plane, trying to login to get to a copy of the boarding pass which you have saved on your phone partner’s phone (because yours is out of battery). These heuristics may not be able to assert your identity with any confidence. So this form of authentication is still going to need to fall back to some reproducible secret you can provide. Making heuristics a convenient shortcut, bypassing entering your secret in most situations, but not a replacing them.
Something that companies are now competing to control, is the next method which will take over from the username and password hole we’ve dug. This is a highly desirable position to hold, as being the owner of everyone’s online identity could be pretty valuable.
A lot of the services already offer OAuth logins to websites – so you can ‘Login with Facebook’ or ‘Google’ or ‘Twitter’ etc.
This is convenient for you so you don’t need to make a new account, and beneficial for them as it gives an insight in to your preferences. Which Twitter uses to suggest people for you to follow, and Google uses to target ads to you. A company owning this shouldn’t sit right with people though. If a company does come in and create the next authentication method, and it’s so compelling that it becomes the defacto way of authenticating yourself. We are then in their hands if they later choose to wheel up the drawbridge and keep this proprietary protocol locked up for themselves. They could start charging licensing fees for services to use it. Or it may no longer be the company’s priority and the development stagnates (not great if security flaws are discovered and go unpatched).
Ideally we need something that can be implemented and unencumbered by possible software/hardware patterns. An open source to be vetted by security experts and open for any developer to contribute to. This might be (or look something like) SQRL. I worked on a SQRL for my final year Computer Science project and have been following it since Steve Gibson announced it on his podcast, a couple years back.
SQRL (pronounced “squirrel”) can replace the username and password paradigm, while at the same time getting rid of the possibility of services losing your password.
You’ll be able to use SQRL by installing a SQRL application. You could have one installed on your mobile, as an extension in Chrome or just installed as a desktop application. These clients can be made by anyone as everything around SQRL is public domain, open source etc. Once you become one of these clients, it will generate an ‘identity’ for you. This identity is basically your secret and it can be shared across clients and backed up offline (maybe as a print out hidden in your safe).
Now with your ‘identity’ setup and backed up you shouldn’t need to worry about it again.
Now if you go to a new service which supports SQRL, you’ll be presented with a QR Code. If you are signing into a service which is on the same device it could be as easy as clicking ‘login with SQRL’. Or if you’re signing in with a separate device, you might take a photo of the QR Code on your mobile to log in to a service on your desktop.
Some of the things mentioned above might raise some alarm bells: single secret to log into all services, shared secret across devices, one-click sign in, printable secret.
However, SQRL allows these to all be done securely and you should take a look at SQRL if this sounds interesting to you. It also provides steps for revoking that secret if for some reason it’s compromised. I’ll resist turning this into a post about SQRL, though I think it shows that there is still room to make authentication more convenient than it is currently.
SQRL has one crux, however: you’ll probably still need to remember a password. SQRL can securely authenticate you to services but you’ll still probably want some way of you authenticating yourself to SQRL. Otherwise if someone steals your laptop, or phone, they can log into any service using your SQRL client. But that’s only one password (which could be switched out for a fingerprint on modern phones). And it reduces your attack surface from each site possibly leaking a password due to a data breach, or sloppy programming, to the surface just being your SQRL device.
Ultimately, I don’t see us getting rid of passwords because something we know is much stronger than something we have.
The future of password security is exciting, and something I for one will be keeping my beady eye on. As for now, password manager’s are the most successful resource we have at our fingertips. I currently use LastPass on a daily basis, and have now become reliant on it to remind me of my passwords, or more to the point remember them for me. I also utilise it to share my passwords with colleagues or within teams. The best thing is, I do this all without having to unearth my cryptic secrets.