The everyday agony of the password

It's hard to imagine an idea more inane than passwords. That we protect many of the most important aspects of our lives with little more than a short string of text is an extreme absurdity.

These collections of--admit it--eight characters are the gateways to everything from our bank accounts and medical records to our family photos to the most sensitive thoughts we've ever let slip via keyboard. To say merely that I loathe passwords would be to lump them with myriad other things in this world that deserve of a good loathing--whereas passwords deserve their own very special throne of infamy.

And the worst part of it all? There isn't a single, viable alternative.

Pass go

If you haven't figured it out by now, I hate passwords. Their only redeeming value, from my perspective as a security professional, is that our reliance on them guarantees my children a decent college education.

I don't hate just the existence of passwords, or their faulty peculiarities (which I'm about to detail); I detest the fact that so much, of such grave importance, depends for its protection on a capitalized name (probably of a cat, dog, or lizard), a number (probably the last two digits of your year of birth or favorite athlete's jersey), and a concluding exclamation point. Never mind our personal accounts: These little strings are embedded throughout society's critical infrastructure. It wouldn't shock me at all to learn that the nuclear launch codes are stored on the President's computer, just waiting for someone to enter "BoTheDog2008!"--if not, as Dr. Strangelove anticipated, "PreserveOurEssences*1964."

Bestish practices

What's so bad about passwords? Well, to start with, any decent password is either nearly impossible to remember or too long to deal with.

Take the "industry standard" recommendations of at least eight characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol. But don't use a common name--oh, never that!--nor the names of anyone you've ever met or have been related to in the past 50 years. And don't be so stupid as to substitute a 3 for an E, or a 0 for an O, since we're told that all the attack tools can figure that out. Instead, pick something random, with no relation to you, add numbers and symbols, and then remember it for a mere 90 days before you're forced to change it to something else with no relation to any other password ever used in that system. (They check for those sorts of things.)

You want an alternative? Use a passphrase with at least 15 characters. Something that you can remember, but that's so long that no automatic tool could ever brute-force its way through it. Perhaps a nice movie quote? Just make sure it isn't from a popular movie. Anything from Star Wars, Star Trek, Die Hard, or Jerry Maguire is off the list. Don't even think of going near The Princess Bride or the 1980s G.I. Joe TV show. Best to stick with something obscure--perhaps some Ukrainian post-expressionist new-age stop-motion noir. In the original Ukrainian--definitely not the Russian translation, and you know why. Then try to type it into your iPhone without a mistake within three tries before you lock yourself out of your account or, worse, erase the whole phone.

And, never forget that every time that you use the same password for two different sites, services, or computers, a kitten dies.

One password to rule them all?

Sure, you can always follow the recommendations that we here at Macworld have been harping on for years. Start by using a password manager like 1Password or LastPass that generate long random passwords for you, and protect them all behind one main, strong password. They work great; and once I bought 1Password, I stopped worrying about all those websites that I used Muppet83! for (I miss that dog).

Except for iTunes, of course. Apple requires you enter your password every time you buy anything, and sometimes prompts you for it seemingly at random, just to make sure you're paying enough attention. Or iCloud, which seemingly requires you reenter the password on every device, for every service, every time you're foolish enough to make the smallest alteration in your iMessage settings. On iOS you can't always jump away from the password prompt for system-level items, making it difficult to grab the correct entry from your password-management app and paste it in.

As for your even slightly less technical friends and family, good luck teaching them how to use a password manager and synchronize it reliably over multiple devices. Think about all the times when your password manager stored your full name as the username, or couldn't paste the password into the nice HTML slide-down login field, or couldn't associate a generated password with the proper login page. A mere annoyance for a technically proficient user is a game-ender for an average person who just wants to log in to a vegan cake-decorating forum safely.

At this point, don't even think about mentioning the Keychain Access Utility.

We've published entire features dedicated to passwords, containing reams of advice that unnamed technophobes and tech tyros in your family will never reasonably follow, because the advice itself is completely unreasonable. We layer hacks upon hacks as best we can to stabilize a foundation incapable of supporting a house of cards.

The devil we know

So what are our alternatives? Dropbox, Google, and others now offer options to send one-time passwords as text messages to your phone, which you then combine with your main password. This two-factor authentication is, again, great for the technically proficient and for sites that we deem important, but can you image trying to force the method down the throats of millions of users--a large percentage of whom are on AT&T, which loves to play "guess when the text will arrive"?

Of course, we could always provide physical tokens (as some banks and PayPal now do) that either plug into a device--whoops, wrong device drivers!--or display a small, changing code on an LCD screen. Good luck, then, handling the support calls that ensue after gnomes steal the tokens from the junk drawer where the user confidently tossed the dongles. The idea of being able to forgo keys for my car, and yet having to carry around a retractable key chain full of tokens, just so I can make an online bank deposit or upload my extensive Amazon review of a $30 cast iron Dutch oven, drives me to the brink of despair.

No, when you consider consumer services at the scale we're talking about, tokens are out. The planet doesn't have enough digital locksmiths driving around in panel vans to meet the demands for help by people who'll want to get back into BillPay at the end of every month.

What about biometrics? Fingerprint readers are cheap, Android phones include facial recognition for unlocking, and the resolution of FaceTime HD cameras on Macs is high enough to support iris scans. Those are great options--until the fingerprint reader gets dirty, or someone makes a high-resolution digital mask from a photo of you (yes, that actually works). Heck, even a photocopy of a fingerprint can fool all but the most expensive scanners.

And no matter how good your first layer of authentication is, an attacker can probably circumvent them and reset the relevant accounts simply by guessing the name of your middle-school mascot.

Here today, here tomorrow

Passwords are here to stay, headlines and technical advances notwithstanding. We might come up with viable alternatives on a smaller scale; but especially for the consumer world we live in, there are no broad, viable alternatives. And sometimes it doesn't even seem to matter: My friend who has used variations of "wordpass" for every online account over the past 15 years has never once had a one hacked. Meanwhile, I have a credit card with such obscure password rules that I don't even try to keep track of it anymore--on the rare occasions when I need to log in, I simply type in random junk and use the password reset tool.

Which gets to the heart of why I hate passwords: Not only do we not have any other options, I can't foresee the situation improving within my lifetime. Even the self-destruct system of the U.S.S. Enterprise is protected by a password (spoken, not typed).

In the end, passwords are like that second cousin who insists on sharing his political conspiracy theories every Thanksgiving. Dumb as they are, we hate them even more because we know we can never get rid of them.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitypasswords

More about Amazon Web ServicesAppleDropboxFaceTimeGoogleMacsPayPalTrek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Mogull

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place