Monday, December 04, 2006

Why Passwords are a Bad Idea...

BBC News has an interesting article on how passwords may weaken our security by far.

It goes on saying that, according to the UK's International Telecommunications Union, people nowadays have so many passwords to remember for so many different places that they inevitably start re-using the same keys again and again (in the worst case of all, the same password is applied to all authorization queries). As a result, it is quite easy to compromise a man's electronic identity (his online accounts to forums, commercial and banking services, e-mail, etc) just by cracking one or two of his codes (which may also be easy to guess - don't forget about brute forcing and common words). And of course many variant schemes may be seen here. For example if an e-mail account is compromised and the attacker uses the "remind my password" feature to all web sites the user is subscribed in, there's a great portion of them that will return the actual code is clear text via e-mail.

So there you have it, passwords are making people's life hard and at the same time increasing their sense of insecurity. They can't remember all of them! So they start writing them down on a piece of paper which they keep inside their wallet. Or they use (common passwords) their birthday or license plates' number and in general they violate one-by-one all keeping-passwords-safe rules.

And I'm wondering, is it time to move forward to something else? And if yes, what might that be?

Let's consider PKI for a moment. It stands for Public Key Infrastructure. I won't get into too many details here (maybe another time). Just thing of this as a system where all you need is a smart card (looks like a credit card) which holds all your information (identification, license, commercial and banking accounts, private keys). This card is password-protected so you do have to remember one password. Maybe there'll be a next version where there is no password and a biometric sensor protects the card's contents.

Anyway, with a single smart card you can exchange, through secure software, all the necessary authentication info with your e-mail provider (to access your messages), your bank (to check and manage your balance), e-commerce sites (shop online and all) and of course any other place on the WWW in which you need to properly identify yourself in order to gain access.

While some may think of this as a bad idea because all your keys are in one place, a single card - aka single point of failure, which is easy to be stolen and / or compromised. Well that's not exactly true. The card itself is very secure. Yes, someone may steal it from you since it is a physical item but it is highly unlikely he will ever be able to access its contents. So your secrets are safe and your life a lot easier.

After all, strengthening security should never be towards the end-user.

This will make things difficult for him and cause him to compromise his own identity. The PKI concept really means for the end-user to have a single card in his pocket which he must use upon login and take away upon logout. As simple as that and everybody is happy :)

This is a big issue and I'll get back on this sometime soon.

Bottomline, forget about passwords!

No comments: