Let’s talk P4ssw0rDs!#$
If you’re like everyone else with an internet connection, you have dozens of accounts that require passwords. Over the years, you have either learned that using the same password for all of these accounts is a bad idea, been forced to use different passwords because of disparate password requirements from different service providers, or both. The result is now you have a bunch of passwords that you can’t remember.
So, what do you do? You probably fall into one of a three camps:
- You have 3-4 different passwords of various complexity that you know you can remember. You use these across your dozens of accounts and find yourself trying to guess which one you used for each account nearly every time you login. To complicate things, you also have variations within each of these passwords that you have created over time to meet specific password requirements – and you forget them constantly.
- You are a rebel and have created the ultimate password that you think meets all the requirements for any system. But it doesn’t. So, you end up creating a bunch of slight variations to fit within whatever schema you are presented with for a specific service and end up forgetting all of them.
- You actually create new passwords for every account and commit them to memory. (I met a guy once that said he actually did this. He was lying, of course, and you don’t really fall into this camp either.) In reality though, you rely on your browser’s “remember password” function. Or, if you don’t trust your browser, you might have a text file, notebook, or even a “password vault” to store all of your passwords for retrieval. Every day, though, you wonder if you can really trust your system and you know, deep down, that you have set yourself up for a single-point-of-failure where all of your credentials can be lost at once. Every time you click “remember password,” you get a rush of anxiety…but you force yourself to dismiss it since you are too far down this road already.
Regardless of which group you identify with, you’re frustrated, tired, and have probably resigned yourself to a world of password tedium. You may also be part of the growing movement of people who have completely given up and click “Forgot Password” every time they have to log in to anything.
How did we get here and what can we do about it?
Back in the ‘90s, script kiddies would download the readily-available encrypted password file (/etc/passwd) from a system and compare the password file with a “dictionary file” (a long list of words) that people could use as passwords to harvest most of the credentials on servers around the world. This was extremely easy to do and, as people and businesses began to use the internet for more than novelty communications, security professionals began to more strictly enforce password requirements to prevent a password from being a word contained in a dictionary file. Thus, the CaSe and Sp3c1#l Ch4raCt$r requirements began to spread.
In 2003, in an effort to formalize some of these password cracking prevention methods, NIST published Appendix A of SP 800-63 that contained this example of a password schema:
- A minimum of eight character passwords, selected by subscribers from an alphabet of 94 printable characters.
- Required subscribers to include at least one upper case letter, one lower case letter, one number and one special character.
- Used a dictionary to prevent subscribers from including common words and prevented permutations of the username as a password.
Look familiar? Couple these with requirements to change passwords every 90 days and here we are today.
But lo! We may be entering the renaissance period of authentication requirements…
Bill Burr, the author of that Appendix A, this month stated that he now regrets publishing those 800-63 Appendix A requirements. The National Institute of Standards and Technology has recently released a new set of password guidelines after determining that, especially in light of significant advancements in computing power over the last few decades, the familiar requirements do little for security and really only result in a “negative impact on usability.”
Now is the time to rethink identity management and authentication techniques for virtually every application. We’ve probably reached “Peak Password” and in the near future, we won’t need to rely on this antiquated technique for authentication in the same way. Coupling reasonably strong passphrases with other factors of authentication dramatically reduces the need for many of the annoying password requirements that we have all grown to loathe. Indeed, there is a growing “No Passwords” movement with many reputable organizations finding new, faster, and probably more secure, methods of authentication.
As we look to the future, we should be excited for the days of spending less time and energy struggling with basic authentication and getting back to what the internet should really be about: cat photos.