Here’s my problem. My password has expired and I need to set a new one. So I think of something and type it in. The system rejects it as being insecure. That’s funny — it’s about the same level of complexity as its expired predecessor. Then I remember — the organisation has recently acquired a new chief information officer and he’s embarked on a root-and-branch overhaul of the system, which presumably includes upgrading security rules.
So I think of a really secure, incomprehensible password and type it in. The system rejects it as laughably inadequate. So I try another and another and another. Same result each time. At this point, I’m getting irritated. Since it’s a Microsoft network, I decide to see what advice Microsoft can give me. I go to the company’s “Safety and Security Centre” where’s there’s a helpful page on how to create strong passwords in four easy steps.
Step 1 is: “Start with a sentence or two.” OK: how about “the rain in Spain stays mainly in the drain”? Step 2: “Remove the spaces between the words in the sentence.” This gives “theraininSpainstaysmainlyinthedrain”. Next step: “Turn words into symbols, numbers or shorthand”. OK: how about “thera1n1nSpa1nstayzma1nly1nthedra1n”? Now for the final step: “Add length with numbers. Put numbers that are meaningful to you after the sentence.” Hmm … it’s too obvious to add a phone number or a car registration number. How about David Cameron’s postcode? (Pause for googling.) So we wind up with “thera1n1nSpa1nstayzma1nly1nthedra1nSW1A2AA”.
Looks good, eh? So I try it. Yippee! I’m in. Only one problem: will I be able to remember this gibberish for the next login? You know the answer as well as I do. I won’t. So I will have to write it down somewhere where I can find it. How about a Post-It note that I can stick on the underside of the desk?
And there, in a nutshell, is the problem. I’ve just checked and at the moment, I need 61 passwords for all the services and devices that I use. Maybe I’m unusual because of my line of work, but I’ll bet that most people have at least a dozen. For security, they should all be different — having a single password for everything would be a disaster waiting to happen. That doesn’t stop people having a single password, though. A colleague tells me that the three most common are “password”, “arsenal” and “pussy”. (Hmm… wonder how he knows that?)
Moore’s law
Twenty years ago, we could get by with fairly simple, easily memorable passwords. But Moore’s law — which says that computing power doubles every 24 months — has taken care of that. There’s no word or combination of letters that you can think of (let alone remember) that can’t now be cracked by brute-force computing. Complicated combinations such as the one I produced under Microsoft’s guidance will take longer to crack, of course, but eventually the processor will get it.
Twenty years ago, the insecurity of passwords wasn’t such a big deal. But it’s a big deal now because so much of our lives has moved online or on to offline computerised services. As these services proliferated, the use of passwords for authentication grew to the point where we are now totally reliant on a system that is at worst broken and at best inoperable.
Because humans are an adaptable and ingenious species, we have found ways of ameliorating the problem. Some people put all their passwords in a single digital file and store it somewhere. Often they assign the helpful name “passwords” to the file, thereby making it easy for hackers to locate. If they’re really conscientious, they will encrypt the file (provided they know how to do that). Some keep their passwords on their cellphones, using proprietary apps such as Keeper or 1Password which encrypt the data. Laptop manufacturers provide biometric devices which check fingerprints before allowing a login.
More canny users employ authentication services such as OAuth, allowing them to share private data such as photos, videos or contact lists, between one site and another without having to hand out their usernames and passwords.
Researchers such as Frank Stajano of Cambridge University are hard at work on ingenious ideas like a trustworthy device (Stajano calls his a Pico) that “acts as a memory prosthesis and takes on the burden of remembering authentication credentials, transforming them from ‘something you know’ to ‘something you have'”.
We will doubtless find a solution to the password problem for the simple reason that if we don’t we’ll be overrun by cybercrime, identity theft and a host of other nasty surprises.
In the meantime, we’re stuck with passwords whose security is inversely related to their memorability. Which reminds me: what was all that stuff about the rain in David Cameron’s postcode? – guardian.co.uk