Buhjillions

There’s another problem with passwords which deserves its own post: what do you do when you forget one?  It’s bound to happen, right?  With so many passwords floating around in our heads, we inevitably forget one entirely or forget which password goes with which account.

Sites can’t just tell you to get lost when you can’t remember, so they need a Plan B to authenticate that it’s really you, and not some attacker.  Now, if you have an existing relationship with the entity you’re trying to reset your password, it makes it much easier.  If I forget my login password at work, I walk down to IT and either talk to someone in there that knows me, or show somebody my ID card.  They reset my password, and I’m off to the races.

But most sites on the internet don’t know me and haven’t issued me any kind of physical token I can use to prove that I’m me.  So, they punt.  They fall back on one of two methods: security questions, which are the slow-pitch softballs of the security world, or they simply pass the buck to somebody else to authenticate you, namely, your email provider.

Security questions are basically another form of password; information which is nominally secret, but much easier for you to remember.  The age-old bank security question of your mother’s maiden name, or the name of your first pet, or your elementary school.  Because these are usually questions about your past, they’re easy to remember, but also very easy for an attacker to guess or find out the answers.  The well publicised break-in on VP candidate Sarah Palin’s Yahoo Email account provides a good example of why security questions aren’t really secure at all, if the alleged first person account of the break-in is to be believed:

The intrusion, according to this account, was carried out via Yahoo’s password reset feature. Though the original post has been deleted, it was copied and reposted to several other blogs.
In the post’s telling, the exploit took no more than 45 minutes and simply required searching the Internet for basic personal information, such as Palin’s zip code, birth date, and where she had met her husband.

Of course, being a VP candidate is sure to have made it easier to find the biographical information required for this attack, but the point is that the answers to security questions aren’t usually well kept secrets, and enough digging by a determined attacker can punch right through them.

Many sites forgo questions and use the strength of your email authentication.  They send you an email with a temporary password, or a code to enter to be able to create a new password.  This means that your email account should be the most sacred of all your passwords—strong, unique, and changed often—because if it is compromised an attacker will have “the keys to the kingdom” of many of your other accounts.  Of course, this style of authentication doesn’t help email providers like Yahoo!, Gmail, or MSN/Hotmail.

And, in this respect, Information Cards are no better.  They can be lost in a computer crash, accidentally deleted, or not transferred to a new computer.  This means that sites that use them still need to punt on security in exactly the same way.  There are such things a “managed information cards,” which are issued and secured by a trusted third party.  If the user has an existing relationship with the third party (their employer, for example), they can be reissued access in a more secure way.  But this is really no different than resetting a site password via your work email account (on which you can gain access securely).  In both cases you and the site agree that if you lose your credentials, then you both should trust your employer to securely deliver you new ones.

Photo is Eric Tipton from the Duke University Archives.  Licensed under Creative Commons.

Every new site that provides a personal service needs to authenticate you the next time you return.  They need to make sure you are able to access your account and others are denied.  The standard way to do this is to have you create a secret password to identify yourself when you return.  And there begin your troubles, noble websurfer.

Most people don’t just have one web-based service they use, they have between a few and a few dozen.  The safe thing to do, of course, is to create a unique password for every site you sign up for.  One for Gmail, one for Amazon, one for PayPal, one for your internet banking, one for… you get the idea.  Strong passwords are very random, with plenty of crazy symbols and odd capitalization.  Of course, the way the human brain works, the longer and more random the password, and therefore the stronger, the harder it is to remember!  If your mind is anything like mine (which is to say, human), you’ll know the futility in trying to create and remember unique, secure passwords for each site that requires one.

So, we cheat.  We create relatively weak passwords.  Or, we reuse them.  Or both (in college, every private multiplayer game we created was always secured by the password “spandex”).  Reusing passwords is particularly Bad News Bears because you can’t know what the site you’re sending it to will do with it.  Will they store it securely?  Will they sell it to criminals in Russia?  Are they criminals in Russia?  So if you currently use the same password for http://somerandomforum.tk as your bank or email account, you might want to reconsider.  As you might imagine, the extent to which I follow my own advice depends on the perceived risk of getting a password stolen, and the potential damage an attacker could do with that particular password.

And, there are other problems with passwords.  Even if we could all remember hundreds of complex passwords and the sites they belong to, they’re still vulnerable.  They can be captured by eavesdroppers if used over an unencrypted channel, or users can be fooled into giving them away in a phishing attack.

A recent (well, August. I’ve been busy) NY Times piece introduced me to an alternative to passwords.  It’s called an Information Card, and is in essence the digital equivalent to an ID card.  Under this system, the computer does the heavy lifting of creating a unique token for each site you visit, so a malicious site can’t use the information it gains to break into your other accounts.  It also will only transmit the information over a secured channel, so there’s essentially no way eavesdroppers can intercept your credentials.

However, there are still ways to attack this system, even if the author, Randall Stross, doesn’t seem to think so.  In one breath, he quotes Scott Kveton (of the OpenID foundation) as saying, “there is no silver bullet, and there never will be.”  Then, in the next, he goes on to talk about information cards as if they’re some kind of panacea.  They aren’t.

MS Windows Cardspace, an implementation of information cards

Essentially, you are trading keeping a secured secret in your head (a password) for a secured secret on your computer (an information card).  This means that if an attacker gains access to your computer, they can steal your cards.  And, since the cards are simply bits of data, they can be copied, meaning they can be stolen without you ever noticing they’re gone—that is until you notice accounts being compromised.  A PIN is no defense; attackers might design viruses or worms to steal them after you’ve entered your pin, then silently delete themselves, removing any evidence you’ve been compromised.

Still, relying on keeping your computer secure does seem like a safer bet than passwords, at least for the time being.  If the movement gains momentum, it might do some good.  Also, smart-card readers of various sorts are becoming relatively standard on business laptops.  In the future, an information card could be embedded on one of these smart-cards, this would make them hard to steal and very hard to duplicate.

I’d be tempted to try it out on spikecurtis.com, but its designed to work only with SSL-encrypted connections, which I don’t have the credentials for.  The only site I know of that uses them now is Microsoft’s Live ID, only in beta, and only with IE 7 (there is a Firefox plug-in, but it doesn’t work with Firefox 3).