Rants on software, computing, and any other topic I feel like.
Thursday, April 29, 2010
Passwords Must Die
Let me be clear and concise to begin. Passwords have failed as a mechanism to secure information technology systems and data. This is obvious to anyone who doesn't work in IT. Users, who are our customers, hate passwords. They hate having to remember them. They hate how complicated we make them be. They hate having to change them every third Tuesday before the new moon. They hate them.
Users who hate features, work around features, passwords included. No amount of poking, prodding, screaming or punishment will make users use features they don't like. Especially when they don't actually work for you. We see this in the different password policies at most businesses versus those for most web sites. Web sites typically want to keep their users around, so they don't require particularly onerous password policies. Corporate password policies on the other hand border on the insane. I'll admit that they're likely necessary to secure the systems, but if we really have to go to that much trouble, then is it working well?
No. Again, passwords have failed as a mechanism for securing systems and data.
We need something new. We need to throw away the old way of doing things do something that makes sense. Something that gives users a simple and easy way to secure their systems. We need to step back and ask ourselves, "Is there a better way to secure systems and data from unauthorized access than passwords?"
I think there is better way to do this. It's already been in existence since before computers were even invented. They're called keys. Physical keys that you keep in your pocket. They work amazingly well for almost all the purposes that we need passwords for.
Why do they work so well? Part of their advantage is that they are physical. They can't be passed around easily. They're easy to secure. Just keep them in your pocket. If you want to loan them temporarily to someone else, you can do that, and then get them back. Of course, someone can copy those keys while they have them, but like anything, you have to be able to trust people not to do that. If you don't trust them, then don't give them your keys.
Of course, if you lose them, you're in trouble. So people do their best not to lose them. And if they lose them, then they make sure to secure the items that the keys gave access to. They change the locks on their house. They change the locks on their cars. It's a pain, but they're willing to do it because they don't have to do it very often, and they realize that it's their own fault for losing the keys in the first place.
None of this is true for passwords. Passwords are hard to secure if you want to loan them to someone. They're hard to secure. Good passwords have to be kept in the human brain. The problem is that good passwords are complex and thus not easy for the human brain to remember without training. So people write them down, which makes them hard to secure.
In our world of information technology, the user's opinion is given a lot of weight, as it should. And they hate passwords. Why are we ignoring our users? Microsoft Office users said they hated Clippy, so Microsoft got rid of Clippy. Users are telling us that they hate passwords, so why aren't we getting rid of passwords? Why are we trying so hard to "improve" them?
We need to get rid of passwords and replace them with keys, physical keys. Many of us already carry around a very appropriate key that could do this jobs. They even called keys. They're called USB keys. Almost every computer around has USB ports. Why can't we use USB keys as the physical keys for our computers?
This can work. What it requires is the information technology community, from operating system vendors and web browser developers to USB key hardware makers to create what would be a very simple standard for storing the keys on the USB drive and communicating them back to the program or system that's asking for them. In fact, we can continue to use passwords. The passwords just need to be stored on the USB key.
The problem is ubiquity. Keyring software exists. But it's hard to use. It's mainly designed for the paranoid tin foil hat types. The type that think that at any time the NSA and FBI are going to knock down their door. It's complicated and hard to use. It requires passwords on top of passwords, which defeats the whole purpose. I can't use it to log in to Windows. It doesn't automatically fill in forms on websites.
This software really isn't something that you want as a tack on program. It needs to be integrated into the OS. This idea of talking to a device to get authentication keys needs to permeate everything. New systems need to be developed with this in mind. They should require a system like this. They shouldn't even have a password field. They should ask the device directly.
We as information technologists need to take a more pragmatic approach to security. If our users aren't part of the solution, then they're part of the problem. If they have to leave the back door open so they can do their job, then we have failed to secure systems, because the job is the most important thing. When security systems fail because of password problems, it may not be our fault, but it is our problem.