TL;DR Summary
- don’t let users choose guessable passwords; achieve this by…
- encouraging/forcing users to use good password management software, and then…
- protect the hashes on the backend by using something decent, ie: bcrypt()
Videos
What Is Good About Password Technology?
These are the architectural benefits:
- passwords are easy to deploy
- passwords are easy to manage
- passwords don’t require identity linkage between silos – so your Google username can be different from your Skype username, can be different from your FetishPornSite.com username, nor need you register identities centrally
- passwords are scalable – you can use as many different ones as you like
- passwords can be varied between silos so that loss of one does not impact the others
- passwords don’t (necessarily) expire
- passwords are the purest form of authentication via ‘something you know’, and thus ideal for the network or “cyber” environment.
- you don’t need to pay an intermediary or third-party a surcharge just to get a new password, nor to maintain an old one.
What Is Bad About Password Technology?
The advice in the first section addresses most of these:
- passwords are easy to deploy
– which means they’re used everywhere - passwords are easy to manage
– which means they’re managed haphazardly - passwords don’t require identity linkage between silos
– but people are generally too lazy to maintain more than one or two identities - passwords are scalable
– but people are generally too lazy to remember more than one or two passwords - passwords can be varied between silo
– but people are generally … see above - passwords don’t expire
– but most of them are guessable in a matter of minutes or hours - passwords are ‘something you know’
– and so anyone who knows your password is indistinguishable from you - you don’t need to pay … oh, wait, that’s a good thing, unless you’re an intermediary?
“Why Passwords Both Do And (Importantly) Do Not Suck” Blog Posts
- Google Declares War on the Password # Dear @Wired, no, sorry, you’re again wrong
- Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords”
- Password Security, Forevermore
“Choosing A Good Password” Blog Posts
- Username: Google ; Password: 2bon2btitq
- “the fairly strong password she used … was crackable by brute force alone” # wait what?
“What To Do When Your Password Gets Leaked On The Internet” Blog Posts
- If it turns out that LinkedIn passwords have leaked…
- Full-Disclosure, Unredacted WikiLeaks, Security and The Guardian
“Password Implementation For/By Developers” Blog Posts
- seven basic rules for developers setting up password systems
- The solution to password guessability is this…
- Regulators, Password Hashing & Crypto considered as a Branding Exercise
“Password Recovery Dialogues” Blog Posts
- Andy Smith of the Cabinet Office is a Epic Security Hero
- Apple just gave out my Apple ID password because someone asked – MK&C
- If you buy online from Apple, check your e-mail carefully
- Easy AppleID Password & Account Theft
“Password Technology” Blog Posts – updated 2013/2/1
- Demo Password Cracker in 1 line of Perl
- Method and apparatus for implementing a pluggable password obscuring mechanism
- seven basic rules for developers setting up password systems
- bcrypt’s [password] length limit is 72, not 55
- The solution to password guessability is this…
- Password Security, Forevermore
- Regulators, Password Hashing & Crypto considered as a Branding Exercise
- OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm
“Password Cracking Technology” Blog Posts
- Crack (password software) at Wikipedia
- Exactly 21 years ago: “CRACK: A Sensible Unix Password Cracker”
- When I wrote Crack I could make three password guesses per second…
- Password Cracking in a Nutshell
- Crypticide I: Thirteen Years of Crack
How Security and Identity Really Work
I’d add one more to your “tl;dr” – “protect the hashes on the back end as carefully as you protect anything on the system”. bcrypt is good, but a hash that the adversary can’t get a hold of is a hash he can’t even *try* to mount an off-line brute-force attack against. The view that “if it’s hashed, I don’t have to worry about protecting it” is dangerous. (It’s also, unfortunately, almost written into law, such as laws on required notifications.)
Layered security. Defense in depth. These are good concepts; apply them.
— Jerry
Not having a guessable password protects from an offline attack vector, but what about online attack vectors?
For example:
Stealing the password using client-side malware, phishing the password using a spoofed site, eavesdropping the password as it is transmitted, stealing the password from the authentication server, stealing the password from a second authentication server where the user has reused it, and subverting the automated password reset process, etc.
What are your thoughts on this aspect of passwords?