How do we solve a problem like passwords?

A friend asked a question:

People who are experts in something: what are the known unknowns, the great mysteries, of your field?

And I said:

If sufficiently complicated passwords can’t be remembered, and increasingly decreasing levels of simplicity in passwords can trivially be guessed by renting a subsection of a cloud platform for a couple of hours, how do you secure a website without making the registration and login process put users off?

…and I spent a while on a thread explaining why 2FA doesn’t solve that problem. So, let’s discuss that a bit.

Photo by James Sutton on Unsplash

Expressing The Problem

I am a reasonably security-conscious person, as these things go. My own solution to password security went though three phases. Phase one: “Things like banks get unique passwords, some things get this password, other things get that password”. Phase two “I have a system! I’ll take these characters from the domain, ROT13 them, then a colon, the number of characters in the domain, multiplied by my birthdate, then a colon, then the TLD. So I can always work out the password!”. Phase three: Lastpass.

Phase one failed because it turns out some places keep their password salt static, some places don’t salt their passwords, and some places just store the plaintext. Phase two failed because sometimes that failed password rules, and now I had to remember that Battlenet didn’t like semicolons (Which, you’ll note, aren’t in the example formula, because the example formula is an example) and so they’re dashes there, and that some places I had to capitalise the TLD, some places required that the numbers not be sequential, and generally it turns out that password rules are bullshit.

Phase three, Lastpass, persists.

So I signed up for Lasspass in 2014. Since I started using it, I’ve added 432 different accounts to my “Vault”. Assuming I’m above average in how many sites I’m signed up to by 50%, that’s still ~216 different passwords a more reasonable member of the public would have.

According to HaveIBeenPwned.com, my email address and passwords have been leaked 15 times, so there’s that too.

So, those are the rough parameters of the problem. It’s not reasonable to expect people to remember >200 different passwords, it’s not possible to define systems to generate unique passwords that satisfy every tinpot password rules list, and it’s not secure to repeat passwords because security is hard.

What are existing solutions for solving this?

Abstractions

Not all passwords are equal. I care significantly more about my bank passwords and things with my credit card in them than I do about entering prize coupons in a yogurt site. Above most of these is my email account, because once you have that, you can issue password resets from pretty much everywhere. Yay.

Centralised Authentication

This is nearly always OAuth, but expressed as “Login with Facebook”, “Login with Twitter”, “Login with Google”, or Steam, Github, or whatever.

On the plus side, this does remove a lot of the multiple passwords thing. If I can log in with Google everywhere, then I can use a complicated password for that and only have to remember one.

Except…

Today, I was at a site with OAuth login. It offered me the choices of Facebook, Twitter, Google, Reddit or Steam to log in with. I have accounts on *all* of these services. Which one did I use last time? Buggered if I can remember, and if I click on the wrong one I’ll have two accounts on this website, and I won’t even know.

Livejournal is an OAuth provider, so you can use your LJ account to sign into any OAuth site (… that allows arbitrary oauth providers, but let’s leave that aside for a sec). LJ also recently rewrote their terms & conditions to be potentially homophobic and also under Russian jurisdiction. So if you close your LJ account or don’t accept those T&C, you’ve also lost your login to any sites you signed up for.

Let’s hope Facebook don’t do something terrible with their Terms & Conditions ever, that would be a problem.

Yes, in many cases these get tied to your email address and you can reset it from there. We’ll deal with that in a bit. Also in many cases you can set a password and log in with your email address and that, but remember that the prerequisite here is slick user flow. Asking to login with X and then setting up a password isn’t any smoother than just asking in the first place in most cases.

Password Managers

Obviously these are fairly arbitrary distinctions, because my password manager is secured behind 2FA, and my OAuth logins are in a password manager, but they all have unique problems.

The obvious one for password managers is that centralised security is centralised insecurity. So long as Lastpass’s servers remain a tower of impenetrable basalt against a raging tide of attacks, everything is secure (and the same remains true of other online services). The posited solution to this is things like Keepass, which use a local file. This, however, means that either your password file is in a single place (however well backed up) and logging in to things on your phone is difficult (or Keepass is on your phone and you have to type complex passwords in to your desktop, which is annoying). Either that or you sync your encrypted passwords database using a mechanism like Dropbox or Onedrive, which gives you the same “It’s only secure while your host is” problem as Lastpass, plus you have to put the password for your syncing host somewhere, which provides an egg for your chicken to come from.

Without integration into browsers, it’s hard to penetrate the security-geek market. Google Chrome recently rebranded its “Safe Passwords” feature into Google Keep, which now asks me if I want to save passwords for sites as I log in (almost always no, in fact, it’s what Lastpass is for) but without a consistent UI and hooks, password managers aren’t slick enough to introduce to people who don’t care.

And most people don’t care.

Browser integrated password managers (BWIM native “Save this password?” dialogs) actually make this problem worse in some ways, because they don’t generally sync with smartphones, and as browsing flows from desktop to browser accounts it’s more important for those passwords to be available in both environments for most users.

Multifactor Authentication

Virtual Keys

By Virtual Key, I mean using your phone for two factor authentication. Have you added 2FA to anything recently? If they use the google authenticator system (also how Authy connects) you need to point your phone at a QR-Code, type in a code it gives you, wait thirty seconds, type in another code, and then it’s set up. This is amazing for anyone who has any idea how this works, and bullshit for everyone else. If you make this a required part of your signup process, your users will not go though signup.

Photo by Jusben on Morguefile.com

(It’s not just the QR-Code, though the fact they just look awful doesn’t help. I spent several years professionally attempting to convince general-public users to use QR codes to go to websites. Even if you promised them free chocolate bars, high-percentage cash prizes or a Mercedes sodding Benz you get a better response rate from punch the monkey banner ads)

In addition to this, last year mobile internet use surpassed desktop. This means that your two-factor auth which pops up a handy notification — be it SMS, Authy, Google Auth or whatever — just went down a factor.

Lastly, remember the numbers above? I have four hundred accounts in Lastpass. Twenty of those have 2FA, and it’s an annoying list to scroll through to get the right one.

Add to this the same problems as password managers above. Either you sync your 2FA authentication to a third party service (Probably a different one to your password manager? but you do you) or you have a single breakable device which, should it fail or forget, will mean spending several hours attempting to regain access to accounts. And we’ll get to password reset in a bit.

Hardware Keys

Yubikey is the frontrunner in this race, I believe.

I fully admit that I don’t have one of these, but I’m considering getting one for the highest levels of my passwords (Production server auth, root access, personal & corporate bank access, c:\Home\Totally Innocent Files\Documents\Nothing To See Here\encypted_drive.tc). Right now the big problem with these is UI based — it’s an involved procedure to attach the key to the account — and provides a single specific small item that, if lost or left at home, completely ruins your ability to do anything that’s secured against it.

This isn’t unreasonable if these actions require that level of security, like entering a building, accessing a production server farm, transferring corporate funds. If your Farmville account needs the equivalent of nuclear launch codes, you’re just not going to set it up, or you’re going to remove it.

The Balance Of Security And Usability

One of the traditional questions in software security is the reduction of my original question “Where is the balance between security and usability” to which much virtual ink has been spilt, because the answer is and has always been “It depends”.

So the question above is specific. It’s about websites and account security, and annoyingly it still boils down to “It depends”.

Not only does it depend on the person — My standards and willingness to go the long way around are higher than those of my fictional great-aunt, because I understand the problem — but also on their relationship with the secured areas — My standards for my bank account are higher than for the account where I signed up to win a bottle of whiskey.

I am likely to mind less that I have to do a retinal scan in order to access my bank account. It makes me feel valued and secure. I am going to object to adding 2FA to my account for the whiskey competition, because it seems like overkill and I don’t need its icon on my phone for ever more.

Bypassing Advanced Security

But finally we get to the big problem with every single thing above: Every single one of those 400 accounts has a password reset procedure. Every single one of those 20 two factor authentication enabled accounts has a procedure to remove the 2FA in the event that I’ve lost access to the phone. Some of them involve one-time codes, but most of the ones that do also have some mechanism for phoning them up, or getting an email.

So, all of those will probably keep your account safe from general fishing attacks, or attempts to crack entire sites worth of accounts (Or, possibly, get someone else’s account cracked instead of yours), but if you specifically are targeted, all they need is access to your email account.

It turns out that getting access to people's’ accounts can mostly be done by stepping stones. A lot of sites have had their databases released onto the dark web, and even a lot of the ones that encrypted the passwords properly didn’t think to encrypt your mother’s maiden name. With that and your address and postal/Zip code you can probably get quite far.

And your address will almost certainly be something you put into that yogurt prize winning site, with the password you don’t care about.

Aftermath

This isn’t really a problem for geeks or the technologically aware. I don’t expect anyone reading this on Medium to take it for advice. But you know someone who uses one of four passwords for everything, as I do, and it’s not because they’re stupid or cavalier, it’s entirely because they don’t understand, grok, internalise that this is something that is worth caring about. If they hit a password rule they’ll add their birthday to the end, or capitalise the first character, and accept they’ll probably need to reset the password to get back in.

It’s easy to say that the answer is to require one of the above, to force 2FA on new accounts, to link to Lastpass or Yubikey, to incentivise additional security (as Carbine’s Wildstar, Blizzard and EA’s SWTOR all do within the gaming space, I’ve not seen incentives elsewhere), but websites in the modern age are built to be frictionless, and it’s something you find in usability testing almost universally: The more things a user has to think about to register for your site, the fewer users will register.

So the question remains.

If sufficiently complicated passwords can’t be remembered, and increasingly decreasing levels of simplicity in passwords can trivially be guessed by renting a subsection of a cloud platform for a couple of hours, how do you secure a website without making the registration and login process put users off?
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.