by Rich Mogull on MacWorld
It’s hard to imagine an idea more inane than passwords. That we protect many of the most important aspects of our lives with little more than a short string of text is an extreme absurdity.
These collections of—admit it—eight characters are the gateways to everything from our bank accounts and medical records to our family photos to the most sensitive thoughts we’ve ever let slip via keyboard. To say merely that I loathe passwords would be to lump them with myriad other things in this world that deserve of a good loathing—whereas passwords deserve their own very special throne of infamy.
And the worst part of it all? There isn’t a single, viable alternative.
Bullet to the form: Let’s be honest, it’s probably just my pet’s name.
If you haven’t figured it out by now, I hate passwords. Their only redeeming value, from my perspective as a security professional, is that our reliance on them guarantees my children a decent college education.
I don’t hate just the existence of passwords, or their faulty peculiarities (which I’m about to detail); I detest the fact that so much, of such grave importance, depends for its protection on a capitalized name (probably of a cat, dog, or lizard), a number (probably the last two digits of your year of birth or favorite athlete’s jersey), and a concluding exclamation point. Never mind our personal accounts: These little strings are embedded throughout society’s critical infrastructure. It wouldn’t shock me at all to learn that the nuclear launch codes are stored on the President’s computer, just waiting for someone to enter “BoTheDog2008!”—if not, as Dr. Strangelove anticipated, “PreserveOurEssences*1964.”
What’s so bad about passwords? Well, to start with, any decent password is either nearly impossible to remember or too long to deal with.
Easy, right? Making a tough password that’s not too hard to remember can be a chore.
Take the “industry standard” recommendations of at least eight characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol. But don’t use a common name—oh, never that!—nor the names of anyone you’ve ever met or have been related to in the past 50 years. And don’t be so stupid as to substitute a 3 for an E, or a 0 for an O, since we’re told that all the attack tools can figure that out. Instead, pick something random, with no relation to you, add numbers and symbols, and then remember it for a mere 90 days before you’re forced to change it to something else with no relation to any other password ever used in that system. (They check for those sorts of things.)
You want an alternative? Use a passphrase with at least 15 characters. Something that you can remember, but that’s so long that no automatic tool could ever brute-force its way through it. Perhaps a nice movie quote? Just make sure it isn’t from a popular movie. Anything from Star Wars, Star Trek, Die Hard, or Jerry Maguire is off the list. Don’t even think of going near The Princess Bride or the 1980s G.I. Joe TV show. Best to stick with something obscure—perhaps some Ukrainian post-expressionist new-age stop-motion noir. In the original Ukrainian—definitely not the Russian translation, and you know why. Then try to type it into your iPhone without a mistake within three tries before you lock yourself out of your account or, worse, erase the whole phone.
And, never forget that every time that you use the same password for two different sites, services, or computers, a kitten dies.
One password to rule them all?
Sure, you can always follow the recommendations that we here at Macworld have been harping on for years. Start by using a password manager like 1Password or LastPass that generate long random passwords for you, and protect them all behind one main, strong password. They work great; and once I bought 1Password, I stopped worrying about all those websites that I used Muppet83! for (I miss that dog).
Passwords upon passwords: Management utilities like 1Password can help, but they aren’t for everybody.
Except for iTunes, of course. Apple requires you enter your password every time you buy anything, and sometimes prompts you for it seemingly at random, just to make sure you’re paying enough attention. Or iCloud, which seemingly requires you reenter the password on every device, for every service, every time you’re foolish enough to make the smallest alteration in your iMessage settings. On iOS you can’t always jump away from the password prompt for system-level items, making it difficult to grab the correct entry from your password-management app and paste it in.
As for your even slightly less technical friends and family, good luck teaching them how to use a password manager and synchronize it reliably over multiple devices. Think about all the times when your password manager stored your full name as the username, or couldn’t paste the password into the nice HTML slide-down login field, or couldn’t associate a generated password with the proper login page. A mere annoyance for a technically proficient user is a game-ender for an average person who just wants to log in to a vegan cake-decorating forum safely.
At this point, don’t even think about mentioning the Keychain Access Utility.
We’ve published entire features dedicated to passwords, containing reams of advice that unnamed technophobes and tech tyros in your family will never reasonably follow, because the advice itself is completely unreasonable. We layer hacks upon hacks as best we can to stabilize a foundation incapable of supporting a house of cards.
The devil we know
So what are our alternatives? Dropbox, Google, and others now offer options to send one-time passwords as text messages to your phone, which you then combine with your main password. This two-factor authentication is, again, great for the technically proficient and for sites that we deem important, but can you image trying to force the method down the throats of millions of users—a large percentage of whom are on AT&T, which loves to play “guess when the text will arrive”?
Twice the factors: Two-factor authentication can help secure your account, but it’s a hassle.
Of course, we could always provide physical tokens (as some banks and PayPal now do) that either plug into a device—whoops, wrong device drivers!—or display a small, changing code on an LCD screen. Good luck, then, handling the support calls that ensue after gnomes steal the tokens from the junk drawer where the user confidently tossed the dongles. The idea of being able to forgo keys for my car, and yet having to carry around a retractable key chain full of tokens, just so I can make an online bank deposit or upload my extensive Amazon review of a $30 cast iron Dutch oven, drives me to the brink of despair.
No, when you consider consumer services at the scale we’re talking about, tokens are out. The planet doesn’t have enough digital locksmiths driving around in panel vans to meet the demands for help by people who’ll want to get back into BillPay at the end of every month.
What about biometrics? Fingerprint readers are cheap, Android phones include facial recognition for unlocking, and the resolution of FaceTime HD cameras on Macs is high enough to support iris scans. Those are great options—until the fingerprint reader gets dirty, or someone makes a high-resolution digital mask from a photo of you (yes, that actually works). Heck, even a photocopy of a fingerprint can fool all but the most expensive scanners.
And no matter how good your first layer of authentication is, an attacker can probably circumvent them and reset the relevant accounts simply by guessing the name of your middle-school mascot.
Here today, here tomorrow
Passwords are here to stay, headlines and technical advances notwithstanding. We might come up with viable alternatives on a smaller scale; but especially for the consumer world we live in, there are no broad, viable alternatives. And sometimes it doesn’t even seem to matter: My friend who has used variations of “wordpass” for every online account over the past 15 years has never once had a one hacked. Meanwhile, I have a credit card with such obscure password rules that I don’t even try to keep track of it anymore—on the rare occasions when I need to log in, I simply type in random junk and use the password reset tool.
Which gets to the heart of why I hate passwords: Not only do we not have any other options, I can’t foresee the situation improving within my lifetime. Even the self-destruct system of the U.S.S. Enterprise is protected by a password (spoken, not typed).
In the end, passwords are like that second cousin who insists on sharing his political conspiracy theories every Thanksgiving. Dumb as they are, we hate them even more because we know we can never get rid of them.