Goodbye, Passwords. You Aren’t a Good Defense.
THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before. Some admirable people actually do memorize random strings of characters for their passwords — and replace them with other random strings every couple of months.
Then there’s the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever.
I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.
That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).
This procedure — which now seems perfectly natural because we’ve been trained to repeat it so much — is a bad idea, one that no security expert whom I reached would defend.
Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.
The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
In short, we need a log-on system that relies on cryptography, not mnemonics.
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.
And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.
We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google, I.B.M., Microsoft and Yahoo are on OpenID’s guiding board of corporations. Last month, when MySpace announced that it would support the standard, the nonprofit foundation
OpenID.net boasted that the number of “OpenID enabled users” had passed 500 million and that “it’s clear the momentum is only just starting to pick up.”
Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.
Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.
When I asked Scott Kveton, chairman of the OpenID Foundation’s community board, about criticism of OpenID, he said candidly, “Passwords, we know, are totally broken.” He said new security options, such as software that works with OpenID that installs within the browser, are being offered. When it comes to security, he said, "there is no silver bullet, and there never will be.”
Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”
Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.
BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.
The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.
Unlearning the habit of typing a password into a box on a Web page will take a long while, but it’s needed for our own protection. Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.
No more relying on our old companion “LetMeIn.”